[TYPO3-dev] Improvement against SQL injections

[Stefan Kreisberg]

Martin Kutschker wrote:

> Elmar Hinz schrieb:
>>> FE queries are not supposed to *modify* system tables any way. If they
>>> do, they can easily break references, irre, workspaces, templavoila,
>>> etc. They should do it through TCEmain (it is possible to instantiate
>>> TCEmain in FE too but with some more code).
>>>
>> 
>> Yes, that's possible. For the T3 indegene people at least. IMHO there is
>> no official documentation, that shows the common programmer, how to do
>> this. It took me half a day to find a solution and I am not sure if my
>> way is the best way to do it.
>> 
>> Because of the absence of documentation for this, I think it's likely
>> that a lot of people who end up with unclean homemade solutions, when
>> they need to update system tables from the frontend, instead of using
>> TCEmain.
> 
> TCEmain is very powerful, but has of course some twists that aren't that
> abvious. Maybe we can add a simple wrapper for common INSERT/UPDATE
> scenarious that should be done with TCEmain for system
> consistency/integrity *.

And even though it's powerful and usefull - there are som scenarious where
it's just not adequate. I've met it's boundaries when, for an instance,
keeping two T3 pagetrees from two different sites "in sync" using
versioning and all the possible quirks meaning a lot of deletes and
insert/update queries. In my experience there are some "off the limit"
scenarious that simply cannot be done using the current TCEMain with the
overhead it imposes (the queries, if run by hand, could be done with 1/100
number of queries compared to the number of queries produced by TCEmain).
I'd be happy to elaborate - but's just to illustrate that it cannot simply
be used in every possible scenario.
 
:-) Stefan

> Masi
> 
> * if we add support of nested sets for tables likes pages we really need
> this.