[TYPO3] First Extension attempt

Stephen Bungert s.bungert at metrinomics.de
Wed Mar 12 18:42:48 CET 2008


Thanks for your help! The extension is working out great. I see the result
in th right column.

All the related articles are listed, the body text is nicely cropped with
... at the end, I have the timestamp converted. All I hhave to do now is
find out how to link the title tot he actual article (in single view).

It doesn't seem as daunting now, to start making more extensions when I need
them. I have a better undersatnding now about extensions, how they work, and
the TYPO3 API.

-----Ursprüngliche Nachricht-----
Von: typo3-english-bounces at lists.netfielders.de
[mailto:typo3-english-bounces at lists.netfielders.de] Im Auftrag von Dmitry
Dulepov [typo3]
Gesendet: Mittwoch, 12. März 2008 16:56
An: typo3-english at lists.netfielders.de
Betreff: Re: [TYPO3] First Extension attempt

Hi!

Stephen Bungert wrote:
> These returns a resource ID:
> $this->query = $GLOBALS['TYPO3_DB']->exec_SELECTquery('uid_foreign',
> 'tt_news_related_mm', $GLOBALS['TYPO3_DB']->fullQuoteStr('uid_local',
> 'tt_news_related_mm') . '=1' . $this->newsId, '', '', '');
> 
> $this->newsId
> 
> Is the tt_news ID extracted from GET vars, using t3lib_div::_GET().

I'll correct you again :) You call fullQuoteStr for a simple string but you
pass unescaped value of URL parameter, which makes SQL injection possible.
Correct ways are:

$this->query = $GLOBALS['TYPO3_DB']->exec_SELECTquery('uid_foreign',
 'tt_news_related_mm', 'uid_local=' . intval($this->newsId), '', '', '');

or:

$this->query = $GLOBALS['TYPO3_DB']->exec_SELECTquery('uid_foreign',
 'tt_news_related_mm', 'uid_local=' . 
  $GLOBALS['TYPO3_DB']->fullQuoteStr($this->newsId, 'tt_news_related_mm'),
'', '', '');

or even:

$rows = $GLOBALS['TYPO3_DB']->exec_SELECTgetRows('uid_foreign',
 'tt_news_related_mm', 'uid_local=' . intval($this->newsId));

I did not check what uid_local and uid_foreign refer in thius particular
case but I think you have two related news items. To get them you can use:

$uidList = array();
foreach ($rows as $row) {
	$uidList[] = $row['uid_foreign'];
}

$relatedNews = array();
if (count($uidList) > 0) {
	$relatedNews = $GLOBALS['TYPO3_DB']->exec_SELECTgetRows('*',
		'tt_news', 'uid IN (' . implode(',', $uidList) . ')' .
		$this->cObj->enableFields('tt_news));
}

Or even more sophisticated:

$sql = 'SELECT * FROM tt_news WHERE uid IN (SELECT uid_foreign FROM ' .
	'tt_news_related_mm WHERE uid_local=' . intval($this->newsId) .
	')' . $this->cObj->enableFields('tt_news');
$res = $GLOBALS['TYPO3_DB']->sql_query($sql);
$relatedNews = array();
while (false != ($row = $GLOBALS['TYPO3_DB']->sql_fecth_assoc($res))) {
	$relatedNews[] = $row;
}
$GLOBALS['TYPO3_DB']->sql_free_result($res);


> 
> Then I do this:
> $this->result = $GLOBALS['TYPO3_DB']->sql_fetch_row($this->query);
> 
> This never shows anything.

It did not because you have error here:

> 'tt_news_related_mm') . '=1' . $this->newsId, '', '', '');

So, if $this->newsId is 5, you get "uid_local=15" in query.

-- 
Dmitry Dulepov
TYPO3 core team
Web: http://typo3bloke.net/
Skype: callto:liels_bugs
"Nothing is impossible. There are only limits to our knowledge"
_______________________________________________
TYPO3-english mailing list
TYPO3-english at lists.netfielders.de
http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-english



More information about the TYPO3-english mailing list