[TYPO3-english] a question about exec_SELECTquery()
Oliver Klee
typo3-german-02 at oliverklee.de
Thu Jan 8 20:36:44 CET 2009
Hi,
Luming Xing schrieb:
> It works, should i always wirte it, when i write a SQL in
> exec_SELECTquery()?
There are two aspects:
1. Making sure the query is valid to begin with. For this, you need to
use quotes around string field (text, tinytext, varchar):
'first_name = "' . $firstName . '"'
Numeric values don't need be be quoted to get valid SQL:
'uid = ' . $uid
2. To avoid SQL injection, you absolutely must escape each data item
that is used for DB queries and that comes from a possibly untrusted
source (eg. user input).
For text fields, you can use $GLOBALS['TYPO3_DB']->fullQuoteStr to
achieve both the escaping and the quoting:
'first_name = ' . $GLOBALS['TYPO3_DB']->fullQuoteStr(
$this->piVars['firstname'], 'tx_modatest_tabledozent'
)
For integer fields, you can use intval:
'uid = ' . intval($this->piVars['uid'])
You can find more about this in the TYPO3 coding guidelines:
<http://typo3.org/documentation/document-library/core-documentation/doc_core_cgl/current/>
Best regards,
Oliver
More information about the TYPO3-english
mailing list