[TYPO3-ttnews] EXT:News, Tags als Meta-Keywords, kommasepariert

Mon Nov 5 08:35:49 CET 2012

Thanks Jigal! This is very good to know! 

-----Ursprüngliche Nachricht-----
Von: typo3-project-tt-news-bounces at lists.typo3.org [mailto:typo3-project-tt-news-bounces at lists.typo3.org] Im Auftrag von Jigal van Hemert
Gesendet: Samstag, 3. November 2012 15:16
An: typo3-project-tt-news at lists.typo3.org
Betreff: Re: [TYPO3-ttnews] EXT:News, Tags als Meta-Keywords, kommasepariert

Hi,

On 2-11-2012 12:09, Georg Ringer wrote:
> Hallo,
>
> Am 02.11.2012 12:03, schrieb David Greiner:
>> über folgendes Typoscript frage ich auf Artikeldetail-Seiten die dem 
>> Artikel zugeordneten Tags ab.
>>          andWhere.dataWrap =
>> tx_news_domain_model_news_tag_mm.uid_local = {GP:tx_news_pi1|news}
>>          andWhere.insertData = 1
>>      }
>
> und hast damit eine wunderbare SQL Injection, besser via cObject 
> basteln und dann ein intval = 1

You don't have to build anything complex. Just use markers [1][2]:

select {
   [...]
   where = tx_news_domain_model_news_tag_mm.uid_local = ###newsitem###
   [...]
   markers {
     newsitem.data = GP:tx_news_pi1|news
   }
}

Every property of select supports these markers and markers have full stdWrap support. Every marker value is properly escaped and quoted.

Don't tell anybody, but this feature has been around since TYPO3 4.4.

[1]
http://buzz.typo3.org/teams/core/article/safety-and-flexibility-in-typoscript-queries/
[2]
http://typo3.org/documentation/document-library/core-documentation/doc_core_tsref/4.7.0/view/1/5/#id552862

--
Jigal van Hemert
TYPO3 Core Team member

TYPO3 .... inspiring people to share!
Get involved: typo3.org
_______________________________________________
TYPO3-project-tt-news mailing list
TYPO3-project-tt-news at lists.typo3.org
http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-project-tt-news