[TYPO3-dev] Improvement against SQL injections
Elmar Hinz
elmar.DOT.hinz at team.MINUS.red.DOT.net
Mon Jun 18 12:11:45 CEST 2007
>
> Oh, well, this is not so simple. Of course, all data modification should
> go through TCEmain, it can watch and create this file. But checing it is
Hi Dmitry,
What do you mean with "all data modification should go through TCEmain"?
Now, it would be a consistent way to handle things. But is it personal
opinion of you? Is it a new coding guideline?
I remember that TCEmain was for backend input while $GLOBALS['TYPO3_DB']
was for frontend queries, when I read the docs the last time. TCEmain is
not available in the frontend by default.
However, there is no way to force the extension programmer to hold to a
special method. And as long as the kickstarter produces that ugly code,
like the no_cache parameter as a hidden field in the forms, I don't expect
that beginners, using kickstarter, can write better code. Estimated over
90% of TER extensions use the kickstarter and are as bad or even worse.
Only few developers try to improve kickstarter generated code.
Regards
Elmar
More information about the TYPO3-dev
mailing list