[Typo3] SQL Injection

Karsten Dambekalns karsten at typo3.org
Fri Mar 4 13:16:40 CET 2005


Hi.

Daniel Novak wrote:
> The problem is the _bad_ coding. Using $_GET vars in php _with_ typo3 is
> very _bad_ behaviour.

Ack.

> _WHY NOT_ use the build in typo mechanisms like GPvars, and PIvars?

GPvars and PIvars were used. But they do NOT touch the inout, aside from
stripping eventual slashes added by PHP. You still have to check/sanitize
your data yourself.

DO NEVER RELY ON THIS HAPPENING BY ITSELF!

> If those guys who programm extensions would program them after the coding
> guidelines, we wouldn't have problems like these ....

Gaian, ack. Everything needed *is* in the guidelines, *and* it is documented
alsewhere in masses...

Karsten
-- 
Karsten Dambekalns
TYPO3 Association - Active Member
http://association.typo3.org/



More information about the TYPO3-english mailing list