[TYPO3-dev] Improvement against SQL injections

[Dmitry Dulepov]

Hi!

Lars Houmark wrote:
> We have recently seen a rather big threat with macina_banners, using 
> simple SQL injections to gain backend access.

Well, I think even that was a bit of overestimation :) Why? Because 
"mysql" extension does not allow several queries in one call. Newer 
"mysqli" allows it but typo3 does not use "mysqli". So, evenif you pass 
"id=0;delete from be_users", it will not work. Anyway, non-checked 
parameters are bad, so good that they were fixed.

> These modifications is pretty simple. Only modifications to the add/edit 
> core functions for users is needed. Of course the constant syncing of 
> the checksum array needs to be pretty intelligent, but hey... You are 
> intelligent guys ;). Besides that some initial creation of the file and 
> array is needed for users updating from older versions.

Oh, well, this is not so simple. Of course, all data modification should 
go through TCEmain, it can watch and create this file. But checing it is 
a different thing. There can be custom authenticaion service, which does 
not know about these checksums...

-- 
Dmitry Dulepov
TYPO3 freelancer / TYPO3 core team member
Web: http://typo3bloke.net/
Skype: callto:liels_bugs