[TYPO3] First Extension attempt

Dmitry Dulepov [typo3] dmitry at typo3.org
Wed Mar 12 16:55:59 CET 2008 

Hi!

Stephen Bungert wrote:
> These returns a resource ID:
> $this->query = $GLOBALS['TYPO3_DB']->exec_SELECTquery('uid_foreign',
> 'tt_news_related_mm', $GLOBALS['TYPO3_DB']->fullQuoteStr('uid_local',
> 'tt_news_related_mm') . '=1' . $this->newsId, '', '', '');
> 
> $this->newsId
> 
> Is the tt_news ID extracted from GET vars, using t3lib_div::_GET().

I'll correct you again :) You call fullQuoteStr for a simple string but you pass unescaped value of URL parameter, which makes SQL injection possible. Correct ways are:

$this->query = $GLOBALS['TYPO3_DB']->exec_SELECTquery('uid_foreign',
 'tt_news_related_mm', 'uid_local=' . intval($this->newsId), '', '', '');

or:

$this->query = $GLOBALS['TYPO3_DB']->exec_SELECTquery('uid_foreign',
 'tt_news_related_mm', 'uid_local=' . 
  $GLOBALS['TYPO3_DB']->fullQuoteStr($this->newsId, 'tt_news_related_mm'), '', '', '');

or even:

$rows = $GLOBALS['TYPO3_DB']->exec_SELECTgetRows('uid_foreign',
 'tt_news_related_mm', 'uid_local=' . intval($this->newsId));

I did not check what uid_local and uid_foreign refer in thius particular case but I think you have two related news items. To get them you can use:

$uidList = array();
foreach ($rows as $row) {
	$uidList[] = $row['uid_foreign'];
}

$relatedNews = array();
if (count($uidList) > 0) {
	$relatedNews = $GLOBALS['TYPO3_DB']->exec_SELECTgetRows('*',
		'tt_news', 'uid IN (' . implode(',', $uidList) . ')' .
		$this->cObj->enableFields('tt_news));
}

Or even more sophisticated:

$sql = 'SELECT * FROM tt_news WHERE uid IN (SELECT uid_foreign FROM ' .
	'tt_news_related_mm WHERE uid_local=' . intval($this->newsId) .
	')' . $this->cObj->enableFields('tt_news');
$res = $GLOBALS['TYPO3_DB']->sql_query($sql);
$relatedNews = array();
while (false != ($row = $GLOBALS['TYPO3_DB']->sql_fecth_assoc($res))) {
	$relatedNews[] = $row;
}
$GLOBALS['TYPO3_DB']->sql_free_result($res);


> 
> Then I do this:
> $this->result = $GLOBALS['TYPO3_DB']->sql_fetch_row($this->query);
> 
> This never shows anything.

It did not because you have error here:

> 'tt_news_related_mm') . '=1' . $this->newsId, '', '', '');

So, if $this->newsId is 5, you get "uid_local=15" in query.

-- 
Dmitry Dulepov
TYPO3 core team
Web: http://typo3bloke.net/
Skype: callto:liels_bugs
"Nothing is impossible. There are only limits to our knowledge"

More information about the TYPO3-english mailing list