[TYPO3-english] Render Content from php
Gorosito Gonzalo
xgonzalo at gmail.com
Thu Nov 29 20:02:49 CET 2012
Jigal,
That's a nice tip.
Thanks
#######################################
# Gonzalo Gorosito
# Programador && sysadmin
#
# http://www.tutorialesdebian.com - Tutoriales para debianeros, scripts,
info, notícias y mucho mas.
# http://www.ggorosito.com.ar - Website personal
#######################################
On Thu, Nov 22, 2012 at 6:00 AM, Jigal van Hemert <
jigal.van.hemert at typo3.org> wrote:
> Hi,
>
>
> On 22-11-2012 7:38, Georg Ringer wrote:
>
>> Hi,
>>
>> Am 21.11.2012 16:52, schrieb Pablo Feldman:
>>
>>> 5 = CONTENT
>>> 5 {
>>> table = tt_content
>>> select {
>>> selectFields = bodytext,CType,pi_flexform,**list_type
>>> pidInList = 2
>>> andWhere.cObject = COA
>>> andWhere.cObject {
>>> 10 = TEXT
>>> 10.dataWrap = sys_language_uid = {GP:L}
>>> }
>>>
>>
>> be aware that you got a security risk here as you don't escape the user
>> data and therefore you got a sql injection.
>>
>> Please use 10.intval = 1 !
>>
>
> Even better: always use markers to inject data in queries:
>
>
> select {
> selectFields = bodytext,CType,pi_flexform,**list_type
> pidInList = 2
> where = sys_language_uid=###langid###
> markers {
> langid.data = GP:L
> }
> }
>
> markers are supported in all properties of 'select', they have full
> stdWrap support, and are automatically escaped and quoted.
>
> --
> Jigal van Hemert
> TYPO3 Core Team member
>
> TYPO3 .... inspiring people to share!
> Get involved: typo3.org
>
> ______________________________**_________________
> TYPO3-english mailing list
> TYPO3-english at lists.typo3.org
> http://lists.typo3.org/cgi-**bin/mailman/listinfo/typo3-**english<http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-english>
>
More information about the TYPO3-english
mailing list