[TYPO3-dev] Improvement against SQL injections

[Dmitry Dulepov]

Hi!

Elmar Hinz wrote:
> What do you mean with "all data modification should go through TCEmain"?
> Now, it would be a consistent way to handle things. But is it personal
> opinion of you? Is it a new coding guideline? 

Nope, this is how all system tables are modified in core and should be 
modified from extensions. BE mode, of course. I think more global, there 
can security problems in BE extensions as well.

> I remember that TCEmain was for backend input while $GLOBALS['TYPO3_DB']
> was for frontend queries, when I read the docs the last time. TCEmain is
> not available in the frontend by default.

FE queries are not supposed to *modify* system tables any way. If they 
do, they can easily break references, irre, workspaces, templavoila, 
etc. They should do it through TCEmain (it is possible to instantiate 
TCEmain in FE too but with some more code).

> However, there is no way to force the extension programmer to hold to a
> special method.

Unfortunately this is right and some extensions still use mysql() function.

But the checksum method does not give much protection because it can be 
used only if default be_users implementation is used. It will not work 
with custom auth services because these services may not reveal some 
details (like passwords).

-- 
Dmitry Dulepov
TYPO3 freelancer / TYPO3 core team member
Web: http://typo3bloke.net/
Skype: callto:liels_bugs