[TYPO3-dev] Improvement against SQL injections

ries van Twisk typo3 at rvt.dds.nl
Sat Jun 16 18:28:17 CEST 2007 

I am writing a sample extension that can detect SQL injects from POST/ 
GET variables
basically the protect all FE in one go.

Ries

On Jun 16, 2007, at 10:46 AM, ries van Twisk wrote:

>
> On Jun 16, 2007, at 8:43 AM, Lars Houmark wrote:
>
>> On 16/06/07 15:19, in article
>> mailman.329956.1181999992.21067.typo3-dev at lists.netfielders.de,
>> "ries van
>> Twisk" <typo3 at rvt.dds.nl> wrote:
>>
>>> One problem with
>>> two DB users (now I think of it)
>>>
>>> os that may be that some hosters doesn't allow you to setup
>>> two users for one database. I am not sure since I never
>>> use a hoster to host my websites.
>>>
>>> I remember that once I have seen plesk and that is just a
>>> big pain in the arse to get things done.
>>>
>>> Somebody know more about that?
>>>
>>
>> This was exactly my point. The security of the backend is depending
>> on first
>> access/allowance of using two DB users and secondly that the user is
>> actually doing it.
>>
>> We have learned from the coding guidelines, that even developers do
>> not read
>> them and create insecure extensions - otherwise we did not have this
>> discussion.
>>
>> So I seek a solution where this is controlled with no user setup
>> and by
>> TYPO3 alone. I think your ideas about improving security with
>> improved setup
>> belongs in the documentation about tuning a server setup.
>>
>> - Lars
>>
>>
>
> Lars,
>
> I am not to sure how much it would really help, although
> I don't understand it completely.
>
> we you are trying to prevent is unauthorized access to the BE if a set
> of tables is not valid, right?
>
> I think it's a nice system to block unauthorized access.
>
> What have we parse all get/post vars and try to detect if we see any
> SQL queries?
> If we see that we block access from that IP and send a mail to the
> administrator.
>
> Under normal conditions in the FE you would never see any SQL query
> at all
> and we then protect the complete FE for all extensions in on go.
>
> THis will take some additional overhead (create PHP module???)  bit
> it might
> be something to bring the security in general to a higher level.
>
> Ries
>
>
>
>
> _______________________________________________
> TYPO3-dev mailing list
> TYPO3-dev at lists.netfielders.de
> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-dev

More information about the TYPO3-dev mailing list