[TYPO3-dev] CONTENT object and SQL injection prevention

Jigal van Hemert jigal at xs4all.nl
Sat Mar 27 16:03:24 CET 2010 

As an aftermath of Bugday I tried to make a solution for the problem 
that there is no good way to prevent SQL injection problems in queries 
in the TypoScript CONTENT object.
C&C are very much welcome!

I'd like a few opinions before submitting this to the core list.

The patch is available at [1].

The problem
===========
Some of the properties of 'select' support stdWrap and allow thus the 
insertion of all kinds of outside data. There is no option to prevent 
SQL injection problems by properly quoting and escaping these values 
(except for integer values which could be handled with prioricalc int).

The solution
============
The PHP PDO implementation features the use of named parameter markers 
to insert data in queries [2]. The values which are inserted are 
automatically escaped and quoted if necessary, thus preventing SQL 
injection problems with external data.
This patch allows the use of named parameter markers in most of the 
'select' properties.

Example:

10 = CONTENT
10 {
  table = tt_news
  select {
   selectFields = title,uid
   pidInList = 4
   where = title > :whatever
     # :whatever is a named marker, see below for the value definition
   markers {
    whatever.data = GP:first
   }
  }
}

In the new 'markers' property you can setup the named parameter markers 
and their values. Each marker has full stdWrap support, so the data can 
be built from any source.
If the value is an integer or a float (also an integer or float in a 
string) it is inserted as a numerical value, otherwise it's fed through 
t3lib_DB::fullQuoteStr().

Extra features
===============
- All properties (excepting 'andWhere') support these markers, so it 
becomes possible to make paginated output in TS.
- I'd like to nominate andWhere to be marked as deprecated with this 
feature, because the support of stdWrap allows SQL injection problems to 
occur; with named markers the functionality of andWhere is moved to a 
safer place.

Questions
=========
I'm not sure if there is a good way in the core to handle unknown 
markers where some have only a value ['markername'], others have only 
properties ['markername.'] and others have both.
The solution in the patch is to walk through the array and add elements 
with an empty value if there are only properties.


[1] http://www.xs4all.nl/~dcbjht/typo3/namedmarker_trunk.diff
[2] http://www.php.net/manual/en/pdo.prepare.php
-- 
Jigal van Hemert.

More information about the TYPO3-dev mailing list