[TYPO3-dev] RFC #11120: stdWrap for TypoScript-select parameters

David Bruchmann typo3-dev at bruchmann-web.de
Mon Jun 8 19:21:44 CEST 2009 

----- Ursprüngliche Nachricht -----
Von:        JoH asenau <info at cybercraft.de>
Gesendet:   Montag, 8. Juni 2009 14:42:00
An:         typo3-dev at lists.netfielders.de
CC:
Betreff:    Re: [TYPO3-dev] RFC #11120: stdWrap for TypoScript-select 
parameters
>> The select function doesn't allow stdWrap for several parameters. So
>> the have to be hardcoded in TS.
>> I changed function getQuery in class.tslib_content.php so that all
>> parameters in the defined array $stdWrapAllowedValues are parsed
>> through stdWrap.
>>
>> Problem:
>> concernig my patch Jo Hasenau posted (28817) problems with optional
>> SQL-Injection
>>
>> Current Solution:
>> Added $GLOBALS['TYPO3_DB']->fullQuoteStr() to $queryParts['SELECT']
>> _______________
> 
> The problem is, that you will always open up additional possibilities for
> security holes as long as the whole SELECT-query is not escaped properly.
> TypoScript based queries are currently not properly escaped, so it's already
> possible that an Integrator creates a hole without noticing it, because
> he/she might rely on the core to do the job.
> 
> Additional stdWrap options for other parameters won't make the current
> situation much worse, since it already is not very satisfying anyway.
> 
> IMHO it could be an option to add another stdWrap function "escapeValues" so
> that the Integrator can decide, if it's necessary to escape the values or
> not, since the problem only occurs, when using values from "outside" the
> TS-Setup (i.e. GPvar).
> 
> HTH
> 
> Joey
> 


Hello Jo,

TypoScript requires that values keep untouched referring quotes because 
stWrap and other Options can be inherited - Quoting could breakdown the 
concept.
Perhaps you remarked, that I quoted the value shortly before building 
the query and never mixed it up with common TypoScript-Parsing.
So it's in responsibility of function Select (as interface between DB 
and TypoScript) to quote the values in a proper way.
If it's possible to quote all values of a query without braking down 
something, I'd propose to do that because knowledge about DBs, Injection 
and Security in general should be handled by the core and normally you 
can't expect that each Scriptler uses quoting as additional TS-parameter 
in the right manner.

Do you think I can quote simply all params of the query just before 
building the query $GLOBALS['TYPO3_DB']->SELECTquery() ?

An additional parameter for quoting is an option if for some reasons 
quoting all can breakdown functionallity, but I'd like to prevent that.

Best Regards
David

More information about the TYPO3-dev mailing list