[TYPO3-dev] Improvement against SQL injections

[ries van Twisk]

On Jun 16, 2007, at 8:43 AM, Lars Houmark wrote:

> On 16/06/07 15:19, in article
> mailman.329956.1181999992.21067.typo3-dev at lists.netfielders.de,  
> "ries van
> Twisk" <typo3 at rvt.dds.nl> wrote:
>
>> One problem with
>> two DB users (now I think of it)
>>
>> os that may be that some hosters doesn't allow you to setup
>> two users for one database. I am not sure since I never
>> use a hoster to host my websites.
>>
>> I remember that once I have seen plesk and that is just a
>> big pain in the arse to get things done.
>>
>> Somebody know more about that?
>>
>
> This was exactly my point. The security of the backend is depending  
> on first
> access/allowance of using two DB users and secondly that the user is
> actually doing it.
>
> We have learned from the coding guidelines, that even developers do  
> not read
> them and create insecure extensions - otherwise we did not have this
> discussion.
>
> So I seek a solution where this is controlled with no user setup  
> and by
> TYPO3 alone. I think your ideas about improving security with  
> improved setup
> belongs in the documentation about tuning a server setup.
>
> - Lars
>
>

Lars,

I am not to sure how much it would really help, although
I don't understand it completely.

we you are trying to prevent is unauthorized access to the BE if a set
of tables is not valid, right?

I think it's a nice system to block unauthorized access.

What have we parse all get/post vars and try to detect if we see any  
SQL queries?
If we see that we block access from that IP and send a mail to the  
administrator.

Under normal conditions in the FE you would never see any SQL query  
at all
and we then protect the complete FE for all extensions in on go.

THis will take some additional overhead (create PHP module???)  bit  
it might
be something to bring the security in general to a higher level.

Ries