[TYPO3] Error in SQL with $GLOBALS['TYPO3_DB']->SELECTquery
Dmitry Dulepov [typo3]
dmitry at typo3.org
Fri Jun 6 16:12:17 CEST 2008
Hi!
Stephen Bungert wrote:
> Sorry, older output. Her eis the correct one:
Firsts, you code allows SQL injection from what I see. May be I am wrong but check, please.
> SELECT *
> FROM tx_metri_secure_log
> WHERE
> website=fmf.stephen.local
> ORDER BY tstamp DESC
> LIMIT 10
It is ok that it is split among lines. SQL syntax allows it. But 'fmf.stephen.local' is not quoted and this is SQL error. Now imagine what will happen if someone passes this to your module:
"aaa";delete from pages;select 1 from pages
Your module will execute:
SELECT *
FROM tx_metri_secure_log
WHERE
website="aaa";delete from pages;select 1 from pages
ORDER BY tstamp DESC
LIMIT 10
Oops. You lost all your pages... This is SQL injection.
--
Dmitry Dulepov
Learn more about TYPO3: http://typo3bloke.net/
More information about the TYPO3-english
mailing list