[TYPO3-dev] Improvement against SQL injections
Elmar Hinz
elmar.DOT.hinz at team.MINUS.red.DOT.net
Mon Jun 18 17:31:59 CEST 2007
>> Because of the absence of documentation for this, I think it's likely that
>> a lot of people who end up with unclean homemade solutions, when they need
>> to update system tables from the frontend, instead of using TCEmain.
>
> TCEmain is very powerful, but has of course some twists that aren't that
> abvious. Maybe we can add a simple wrapper for common INSERT/UPDATE
> scenarious that should be done with TCEmain for system consistency/integrity *.
>
> Masi
>
> * if we add support of nested sets for tables likes pages we really need this.
Of course a wrapper would be nice. It's especially strange for me, that I
always have to set the data and the commands array, even if you only
execute one of them. Two additional functions would do the trick.
A short addition to the Core API answering the question
"How to include the power of the backend into the frontend?"
would already help a lot.
Most I would like to have a TCE creating function for the FE, something
in this direction. Maybe there are smarter ways.
class t3lib_div {
function createTCE() {
global $TCE, $BE_USER, $TCA, $PAGES_TYPES, $ICON_TYPES, $LANG_GENERAL_LABELS, $TBE_STYLES, $TBE_MODULES, $FILEICONS,;
ob_start();
require(PATH_t3lib.'stddb/tables.php');
require(PATH_t3lib.'stddb/load_ext_tables.php');
require_once(PATH_t3lib.'class.t3lib_tcemain.php');
ob_end_clean();
$TCE = t3lib_div::makeInstance('t3lib_tcemain');
$TEC->stripslashes_value = 0;
}
}
Regards
Elmar
More information about the TYPO3-dev
mailing list