[TYPO3-english] extending tt_news search
Jigal van Hemert
jigal at xs4all.nl
Mon May 23 12:59:23 CEST 2011
Hi,
On 23-5-2011 12:19, horace grant wrote:
> i have extended the search function of tt_news with the searchwhere hook.
>
> do i have to do anything special to prevent sql injections or will the
> where string be sanitized afterwards anyway?
If you have used
$GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['tt_news']['selectConfHook'] to
change the select configuration you have to take care of possible sql
injections yourself.
For integer values you can simply use intval() to make sure it's an
integer. For strings you can use
$GLOBALS['TYPO3_DB']->fullQuoteStr($value, <table_name>);
$GLOBALS['TYPO3_DB']->escapeStrForLike($value, <table_name>);
(see class t3lib_DB in t3lib/class.t3lib_db.php)
--
Kind regards / met vriendelijke groet,
Jigal van Hemert.
More information about the TYPO3-english
mailing list