[TYPO3-dev] Improvement against SQL injections

[Martin Schoenbeck]

Hi Martin,

Martin Kutschker schrieb:

> Use two DB uses: one is for the BE and has full write access. The other 
> for the FE has only read access to tables like be_users (or no access at 
> all!). If you want to can tune the permissions down to column level.

I want to support your and Ries approach. It's the only one promising a
real benefit. And it places the access control where it belongs. Trying to
deal with corrupted database table is doomed to fail, because you'll never
be able to anticipate all possible cases, where a database change may lead
to execution of unintended code. With typoscript you are able to run a
broad range of extension code, which perhaps never was intended for
execution on the frontend.

Martin
-- 
Bitte nicht an der E-Mail-Adresse fummeln, die paßt so.