[TYPO3-english] how to: properly escape strings in 4.5.30?

Xavier Perseguers xavier at typo3.org
Sat Nov 23 13:06:09 CET 2013


Calgacus map Brude wrote:
> or am I worried over nothing?  is typo3/extbase suseptible to sql
> injection attacks when using the default update and add methods?  If it
> uses string concat to piece together sql then it may be but if it uses
> prepared statement it isn't.  I come from a place that still used alot
> of string concat sql so this worry is just second nature to me.

Unless you wrote part of the persistence yourself, if you use Extbase,
your domain model and repositories, you naturally don't have to think
about the database, that's the goal of the ORM, you deal with content
and do not think about escaping single quotes or alike.

However if you write SQL yourself, then you have to take care.

Xavier Perseguers
Release Manager TYPO3 4.6

TYPO3 .... inspiring people to share!
Get involved: http://typo3.org

More information about the TYPO3-english mailing list