[TYPO3-english] Render Content from php
Jigal van Hemert
jigal.van.hemert at typo3.org
Thu Nov 22 10:00:26 CET 2012
Hi,
On 22-11-2012 7:38, Georg Ringer wrote:
> Hi,
>
> Am 21.11.2012 16:52, schrieb Pablo Feldman:
>> 5 = CONTENT
>> 5 {
>> table = tt_content
>> select {
>> selectFields = bodytext,CType,pi_flexform,list_type
>> pidInList = 2
>> andWhere.cObject = COA
>> andWhere.cObject {
>> 10 = TEXT
>> 10.dataWrap = sys_language_uid = {GP:L}
>> }
>
> be aware that you got a security risk here as you don't escape the user
> data and therefore you got a sql injection.
>
> Please use 10.intval = 1 !
Even better: always use markers to inject data in queries:
select {
selectFields = bodytext,CType,pi_flexform,list_type
pidInList = 2
where = sys_language_uid=###langid###
markers {
langid.data = GP:L
}
}
markers are supported in all properties of 'select', they have full
stdWrap support, and are automatically escaped and quoted.
--
Jigal van Hemert
TYPO3 Core Team member
TYPO3 .... inspiring people to share!
Get involved: typo3.org
More information about the TYPO3-english
mailing list