[TYPO3-dev] CONTENT object and SQL injection prevention

[Martin Holtz]

Hi Jigal,

>>> If the value is an integer or a float (also an integer or float in a
>>> string) it is inserted as a numerical value, otherwise it's fed through
>>> t3lib_DB::fullQuoteStr().
>> afaik you should use fullQuoteStr() for all values to be DBAL
>> compatible. Otherwise it could happen, that you send an integer to an
>> varchar which could fail on some DBs.
> 
> Isn't this handled by DBAL? Numeric values in hardcoded parts of the
> query are also handled by DBAL, aren't they?

Sorry, i do not know. I thought not, but perhaps it does?


> As far as I've seen the table defined in the 'table' property of CONTENT
> is used for quoting. PHP only needs the connection for properly escaping
> the value for MySQL queries. I doubt that DBAL is capable of handling
> queries with different database systems for both ends of a join; a query
> should stay within a single database system. So, the table set in the
> 'table' property should be sufficient for fullQuoteStr().

ah, yes i think you are right.

So, it does not depend on the table how to quote, but only on the DBMS.
If i it means fullQuoteStr needs the table to detect which DBMS is used.
Then you are right - table should be enough.

gruss,
martin

-- 
Martin Holtz - elemente websolutions http://www.elemente-websolutions.ms

http://wiki.typo3.org/Ts45min - TypoScript in "45" minutes
http://wiki.typo3.org/De:ts45min - (auch in Deutsch)