[TYPO3-english] extending tt_news search
horace grant
horace3d at gmail.com
Mon May 23 14:43:15 CEST 2011
thanks for your answers!
On Mon, May 23, 2011 at 12:59 PM, Jigal van Hemert <jigal at xs4all.nl> wrote:
> Hi,
>
> On 23-5-2011 12:19, horace grant wrote:
>>
>> i have extended the search function of tt_news with the searchwhere hook.
>>
>> do i have to do anything special to prevent sql injections or will the
>> where string be sanitized afterwards anyway?
>
> If you have used
> $GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['tt_news']['selectConfHook'] to
> change the select configuration you have to take care of possible sql
> injections yourself.
i used this hook:
$GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['tt_news']['searchWhere']
and added some stuff to the $where string.
so, i guess what you said applies for this hook too?
>
> For integer values you can simply use intval() to make sure it's an integer.
> For strings you can use
> $GLOBALS['TYPO3_DB']->fullQuoteStr($value, <table_name>);
> $GLOBALS['TYPO3_DB']->escapeStrForLike($value, <table_name>);
> (see class t3lib_DB in t3lib/class.t3lib_db.php)
>
> --
> Kind regards / met vriendelijke groet,
>
> Jigal van Hemert.
> _______________________________________________
> TYPO3-english mailing list
> TYPO3-english at lists.typo3.org
> http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-english
>
More information about the TYPO3-english
mailing list