[TYPO3-english] wfqbe security: how to clear queries to avoid SQL injections in GET and POST
poohdafg at gmx.de
poohdafg at gmx.de
Tue May 6 04:29:18 CEST 2014
Hi,
after gratefully trying and exploring WFQBE,
I'm getting to the security issues as adressed by Mauro in the docu
http://docs.typo3.org/typo3cms/extensions/wfqbe/ExtDbIntegration/ImportantSecurityTopics/
Just to make sure, I got this right,
if I use an edit query with id 25, I only have to insert
plugin.tx_wfqbe_pi1.customQuery.25.WFQBE_PARAM.wfqbe.intval=1
in an ext-TS record on that page and that's it?
(Found it in the Config Manual as well: "customQuery.XXX.wfqbe.intval - Boolean - This option should be used each time you get an integer value via GET or POST. Using this option you can prevent SQL Injections")
Since I'm not an enlighted pro in MySQL and do not know how and when the POST and GET parameters are exactly used, unfortunately, I do not feel too sure why this helps to avoid SQL injections, but it does, does it? I felt like I could use WFQBE safely without knowing how to hard code DB request, but if I am not able to do it safely you will surely suggest me not to use it at all?
Also, before I come to the above mentioned edit page I have to be led there from another one with these links:
plugin.tx_wfqbe_pi1.customProcess.16 {
# id detail-view anpassen
uid = COBJ_ARRAY
uid {
# This object is used to provide a link to edit the record
20 = TEXT
20.value = Eintrag bearbeiten
20.typolink = 1
# page-id where edit-query:
20.typolink.parameter = 19
20.typolink.additionalParams = &tx_wfqbe_pi1[uid]=###WFQBE_FIELD_uid###&tx_wfqbe_pi1[wfqbe_editing_mode]=1
}
}
I do not have to clear anything here, do I?
How can I actually check whether the security fixing code does what it is supposed to do?
Thank you for bringing some light into this!
Best regards,
*Eitel
More information about the TYPO3-english
mailing list