[Typo3] SQL Injection
karsten at typo3.org
Fri Mar 4 13:16:40 CET 2005
Daniel Novak wrote:
> The problem is the _bad_ coding. Using $_GET vars in php _with_ typo3 is
> very _bad_ behaviour.
> _WHY NOT_ use the build in typo mechanisms like GPvars, and PIvars?
GPvars and PIvars were used. But they do NOT touch the inout, aside from
stripping eventual slashes added by PHP. You still have to check/sanitize
your data yourself.
DO NEVER RELY ON THIS HAPPENING BY ITSELF!
> If those guys who programm extensions would program them after the coding
> guidelines, we wouldn't have problems like these ....
Gaian, ack. Everything needed *is* in the guidelines, *and* it is documented
alsewhere in masses...
TYPO3 Association - Active Member
More information about the TYPO3-english