[TYPO3-dev] Improvement against SQL injections
Martin Kutschker
Martin.Kutschker at n0spam-blackbox.net
Mon Jun 18 15:15:23 CEST 2007
Elmar Hinz schrieb:
>> FE queries are not supposed to *modify* system tables any way. If they
>> do, they can easily break references, irre, workspaces, templavoila,
>> etc. They should do it through TCEmain (it is possible to instantiate
>> TCEmain in FE too but with some more code).
>>
>
> Yes, that's possible. For the T3 indegene people at least. IMHO there is
> no official documentation, that shows the common programmer, how to do
> this. It took me half a day to find a solution and I am not sure if my way
> is the best way to do it.
>
> Because of the absence of documentation for this, I think it's likely that
> a lot of people who end up with unclean homemade solutions, when they need
> to update system tables from the frontend, instead of using TCEmain.
TCEmain is very powerful, but has of course some twists that aren't that
abvious. Maybe we can add a simple wrapper for common INSERT/UPDATE
scenarious that should be done with TCEmain for system consistency/integrity *.
Masi
* if we add support of nested sets for tables likes pages we really need this.
More information about the TYPO3-dev
mailing list