[TYPO3] Advanced query not advanced enough - part 2

Pieter pieter.v at gmx.net
Sat May 13 20:54:30 CEST 2006


JoH wrote:
> 
> By enabling such a feature you would open up a big security hole, since it
> would be possible for non admin users to do UPDATE, INSERT or DROP instead
> of SELECT.
> So this won't make it into my extension and surely not into the core.
> 

I don't know how a non admin BE user can gain access to the database 
query.  Only admins can see the 'DB check'.  An admin could create a 
query with an INSERT/DELETE and assign it to a task.  Non admins can 
then execute that task but then it's the admin who decided to give a 
user that right...

> But of course we can improve the overall functionality of the query
> generator.
> Fell free to add as many additional searchtypes for the different fieldtypes
> to your wishlist as you like.
> So I will be able to implement them in one go if I find the time after the
> release of the TYPO3 cookbook.

What about having an edit box where one can enter the condition for a 
field.  An example:
fe_users.usergroup <text from edit box>
    OR fe_users.usergroup <text from edit box>
    OR fe_users.usergroup <text from edit box>
    OR fe_users.usergroup <text from edit box>

But that still does not allow the very nice solution for my initial problem:
AND concat(concat(','.fe_users.usergroup),',') LIKE '%,1,%'
or
AND FIND_IN_SET('1' , fe_users.usergroup)

> 
>> But it's all free software of course and I better do it myself if I
>> want it.  But joh_advbesearch is not very easy to get in to...
> 
> The major problem is that it is based on Kaspers and Julles (sometimes
> weird) coding style and that it has to work in conjunction with user tasks
> and actions.
> My part was the improvement of features and usability together with some
> bugfixing .
> Took me quite some time too to dig into the original code.

I made a temporary fix by editing the file 
tx_johadvbesearch_querygenerator.php.  I changed the line
'66' => "#FIELD# LIKE '%#VALUE#%' AND #FIELD# LIKE '%#VALUE1#%'",
into
'66' => "#FIELD# LIKE '#VALUE#' AND #FIELD# LIKE '%#VALUE1#%'",

That works for now.

Regards,
Pieter
Webteam Vivant
http://www.vivant.org
Skype: callto://pietervsta





More information about the TYPO3-english mailing list