[TYPO3-dev] RFC #11120: stdWrap for TypoScript-select parameters

[JoH asenau]

> The select function doesn't allow stdWrap for several parameters. So
> the have to be hardcoded in TS.
> I changed function getQuery in class.tslib_content.php so that all
> parameters in the defined array $stdWrapAllowedValues are parsed
> through stdWrap.
>
> Problem:
> concernig my patch Jo Hasenau posted (28817) problems with optional
> SQL-Injection
>
> Current Solution:
> Added $GLOBALS['TYPO3_DB']->fullQuoteStr() to $queryParts['SELECT']
> _______________

The problem is, that you will always open up additional possibilities for
security holes as long as the whole SELECT-query is not escaped properly.
TypoScript based queries are currently not properly escaped, so it's already
possible that an Integrator creates a hole without noticing it, because
he/she might rely on the core to do the job.

Additional stdWrap options for other parameters won't make the current
situation much worse, since it already is not very satisfying anyway.

IMHO it could be an option to add another stdWrap function "escapeValues" so
that the Integrator can decide, if it's necessary to escape the values or
not, since the problem only occurs, when using values from "outside" the
TS-Setup (i.e. GPvar).

HTH

Joey

-- 
Wenn man keine Ahnung hat: Einfach mal Fresse halten!
(If you have no clues: simply shut your gob sometimes!)
Dieter Nuhr, German comedian
Xing: http://contact.cybercraft.de
Twitter: http://twitter.com/bunnyfield
TYPO3 cookbook (2nd edition): http://www.typo3experts.com
TYPO3 workshops: http://workshops.eqony.com