[TYPO3-english] how to: properly escape strings in 4.5.30?

Richard Davies richard at ocular.co.nz
Thu Nov 21 22:25:03 CET 2013 

Hi,

A few things about the Typo3 DB API and escaping:

When using one of the SELECTquery statements, you must escape the data
with  $GLOBALS['TYPO3_DB']->quoteStr(). In your example you only pass it
the value. The API (from
http://typo3.org/api/typo3cms/class_t_y_p_o3_1_1_c_m_s_1_1_dbal_1_1_database_1_1_database_connection.html#a39220a350684bd73ecb88d7eabe350f2
):

> Escaping and quoting values for SQL statements.
>
> Parameters
>    string    Input string
>    string    Table name for which to quote string. Just enter the table
that the field-value is selected from (and any DBAL will look up which
>handler to use and then how to quote the string!).
>
>Returns
>    string Output string; Wrapped in single quotes and quotes in the
string (" / ') and \ will be backslashed (or otherwise based on DBAL
>handler)
So if you wanted to escape a field for fe_users, you would use
$GLOBALS['TYPO3_DB']->quoteStr('fe_users',$value);When using one of the
INSERTquery or UPDATEquery, unless you specify otherwise the query itself
will escape values, so you don't have to do anything. Remember to only
escape values once, or the slashes start building up. So all you need to do
is:
Take the value, if its a selectquery, escape it, otherwise if its an insert
or an update just use the raw value (after escaping for XSS and other
attack vectors).

Richard


On 22 November 2013 10:10, Calgacus map Brude <calgach at gmail.com> wrote:

> Hi Xavier,
> Thanks for responding.
> When I change my code like so :
>  /**
>     * action admin
>     *
>     * @return void
>     */
>    public function adminAction() {
>        $postsvars =  t3lib_div::_POST();
>        $prizes = $postsvars['tx_bingoprizes_bingofrontend']['prize'];
>
>
>        foreach ($prizes as $key => $prize) {
>            foreach ($prize as $field => $value) {
>                //echo "Magic quotes is " . (get_magic_quotes_gpc() ? "ON"
> : "OFF");
>               // echo strip_tags($value) ;die;
>                $cleanedValues[$field] = $GLOBALS['TYPO3_DB']->
> quoteStr(strip_tags($value));// strip_tags($value);//
> mysql_real_escape_string(strip_tags($value));
>            }
> ......................
>
> I get this error:
> Uncaught TYPO3 Exception
> #1310027933: DBAL fatal error: No handler found in
> handler_getFromTableList() for: "" (SQL engine parse ERROR: No table name
> found as expected in parseFromTables()!: near " ")
> RuntimeException thrown in file
> /home/typo3_src/typo3_src-4.5.30/typo3/sysext/dbal/class.ux_t3lib_db.php
> in line 3076.
> when execution hits the line with the call to $GLOBALS['TYPO3_DB']->
> quoteStr()
> Are those DBAL methods still the way to go in v 4.5.30?
>
>
> _______________________________________________
> TYPO3-english mailing list
> TYPO3-english at lists.typo3.org
> http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-english
>

More information about the TYPO3-english mailing list