[TYPO3-dev] RFC #11120: stdWrap for TypoScript-select parameters

JoH asenau info at cybercraft.de
Tue Jun 9 01:49:47 CEST 2009 

> TypoScript requires that values keep untouched referring quotes
> because stWrap and other Options can be inherited - Quoting could
> breakdown the concept.

Doesn't matter in this case, bceause quoting usually should be applied as
the last function before handing over the values to the PHP functions.

> Perhaps you remarked, that I quoted the value shortly before building
> the query and never mixed it up with common TypoScript-Parsing.
> So it's in responsibility of function Select (as interface between DB
> and TypoScript) to quote the values in a proper way.
> If it's possible to quote all values of a query without braking down
> something, I'd propose to do that because knowledge about DBs,
> Injection and Security in general should be handled by the core and
> normally you can't expect that each Scriptler uses quoting as
> additional TS-parameter in the right manner.

Well - currently this is not done automatically when using TYPO3_DB
functions directly in PHP code of plugin classes, so we could handle it the
same way when calling these functions in TypoScript templates. As long as
the developer/integrator is told to escape the values properly and how to do
that, it would be exactly the same for extension developers and TypoScript
integrators.

On the other hand I really would appreciate a more fool proof solution :-)

> Do you think I can quote simply all params of the query just before
> building the query $GLOBALS['TYPO3_DB']->SELECTquery() ?

I don't think so, because depending on the DB field type this has to be
handled differently, which should be the case (according to the API) when
using $GLOBALS['TYPO3_DB']->fullQuoteStr. But I guess there must be some
reason for those other functions too (quoteStr, fullQuoteArray,
escapeStrForLike,clientIntArray,cleanIntList)

Maybe somebody else can shed some light on it.

HTH

Joey

-- 
Wenn man keine Ahnung hat: Einfach mal Fresse halten!
(If you have no clues: simply shut your gob sometimes!)
Dieter Nuhr, German comedian
Twitter: http://twitter.com/bunnyfield
Xing: http://contact.cybercraft.de
T3 cookbook (2nd edition): http://www.4any1.de
TYPO3 Schulung: http://workshops.eqony.com

More information about the TYPO3-dev mailing list