[TYPO3-dev] RFC #11120: stdWrap for TypoScript-select parameters
David Bruchmann
typo3-dev at bruchmann-web.de
Sun Jun 7 21:16:19 CEST 2009
Description:
The select function doesn't allow stdWrap for several parameters. So the
have to be hardcoded in TS.
I changed function getQuery in class.tslib_content.php so that all
parameters in the defined array $stdWrapAllowedValues are parsed through
stdWrap.
Now im'm not quite sure, which parameters kann be added there, adding
the sql-statements (where, andwhere, join) brakes down the function but
what's about begin, languageField, orderBy, groupBy?
Current Patch:
bug_11220_8.diff
<http://bugs.typo3.org/file_download.php?file_id=7616&type=bug>
(http://bugs.typo3.org/file_download.php?file_id=7616&type=bug)
Problem:
concernig my patch Jo Hasenau posted (28817) problems with optional
SQL-Injection
Current Solution:
Added $GLOBALS['TYPO3_DB']->fullQuoteStr() to $queryParts['SELECT']
_______________
I'd appreciate your comments referring following questions:
1) Is $GLOBALS['TYPO3_DB']->fullQuoteStr() the correct function to avoid
SQL-Injection?
2) Which elements of $queryParts should be quoted too by function 1) ?
3) Are there other open points referring my patch?
Thanks
David
More information about the TYPO3-dev
mailing list