[TYPO3-dev] Re: meet a problem when using a HTML template
Dmitry Dulepov
dmitry at typo3.org
Mon Dec 15 12:42:27 CET 2008
Hi!
lm x wrote:
> I'm just writing my first ext with a HTML template. In the template there are two parts. The first part(###LISTVIEW###) has a form. when I submit the form, it shoud show me the second part(###DETAILVIEW###).
>
> However it doesn't show the second part. and still show the first. please Anyboby tell me what's wrong in my code. thank you!!!
Franz already answered, I want to point to one potential problem with the code.
> $this->id=$GLOBALS['TSFE']->id;
here you set it to $GLOBALS['TSFE']->id. which is ok.
> $res=$GLOBALS['TYPO3_DB']->exec_SELECTquery(
> '*', #select
> 'tx_modulbuchtest_module', #from
> 'hidden=0 and deleted=0 and pid='.$this->id, #where
> $groupBy='',
> $orderBy='',
> $limit='');
Here you use $this->id. Now think what will happen if you ever decide to use GET parameter for it. What if hacker supplies "5;delete from be_users" as this parameter? This may bad effects on your server...
Simple "intval($this->id)" will add extra security to your code.
> if($res) {
> $liste='';
> while($row=$GLOBALS['TYPO3_DB']->sql_fetch_assoc($res))
> {
> $markerArray['###PROTYPE###']='<option value="456">'.$row['sprache'].'</option>';
> $liste .= $this->cObj->substituteMarkerArrayCached($singlerow,$markerArray);
> }
>
> $subpartArray['###ROW###']=$liste;
> } else {
> return $this->pi_getLL('nodata');
> }
Here you have a memory leak. You need to call $GLOBALS['TYPO3_DB']->sql_free_result($res).
> return $this->cObj->substituteMarkerArrayCached($subpart,$markerArray,$subpartArray,'');
Here you may want to read:
http://typo3bloke.net/post-details/why_substitutemarkerarraycached_is_bad/
--
Dmitry Dulepov
TYPO3 core team
In the blog: http://typo3bloke.net/post-details/how_will_i_fix_bugs_in_extensions_from_now_on/
My TYPO3 book: http://www.packtpub.com/typo3-extension-development/book
More information about the TYPO3-dev
mailing list