[TYPO3-dev] Improvement against SQL injections

[Martin Schoenbeck]

Hi Lars,

Lars Houmark schrieb:

> In the future - 5.0 I think - I hope that we are able to prevent these
> things in the query by having better integrity in the entire system, but
> this is not possible at the moment, because we can NEVER be sure that the
> extension is written after the CGL, making the core functions able to filter
> malicious data. In the macina_banners case, the ONE line of code which had
> the SQL injection flaw was using a NON DBAL query.

I can't see a way to hinder an extension to execute arbitrary database
queries. But what we can do is to hinder the database to execute arbitrary
queries when running in the frontend. I doubt that there are provider
hindering the creation of additional users, because it doesn't use up any
resources. At least I never saw such a restriction. And I doubt that it's
easier to create your file based access control than it is to create a user
which has write access only for tables with as special flag set. Even if
you don't want to flag all current tables in the first run it can be done
for the user table easily. 

Martin
-- 
Bitte nicht an der E-Mail-Adresse fummeln, die paßt so.