[TYPO3-dev] Improvement against SQL injections

[Lars Houmark]

On 16/06/07 22:00, in article
mailman.1.1182024030.9557.typo3-dev at lists.netfielders.de, "Martin
Schoenbeck" <ms.usenet.nospam at schoenbeck.de> wrote:

> I can't see a way to hinder an extension to execute arbitrary database
> queries. But what we can do is to hinder the database to execute arbitrary
> queries when running in the frontend.

Martin,

What you suggest relies entirely on correct user setup. We have bad
experiences with just that. This is why I propose a method that is
completely independent on the actual setup.

Yes, I only want to do this for the be_users table, as this is the one
giving access to the backend, where the user gets a very unrestrictive
access afterwards.

I acknowledge your suggestions and think they should be added to the
security cookbook (I will note this), but would like you to think of a
solution where there is no need for the user to setup up things correctly.

I think my solution indeed will hinder that at least backend access is taken
by an evil person, and that is at least hindering of successful arbitrary
queries to the be_users table which equals increased security. Not ensuring
the entire system, but that is simply impossible with the structure and
flexibility of TYPO3 as it is now.

Yes, one can still delete all data in database tables and by that destroy
the website, but we must hope for a professional hosting setup where backup
is made on a regular basis.

What my success criteria is, is only to stop the easy access for a hacker
that by getting backend access will be able to do the kind of harm we have
seen in the macina_banners case.

- Lars