[TYPO3-mvc] Find object properties, only using TypoScript
Albrecht Köhnlein
albrecht.koehnlein at gmx.de
Sun Oct 28 18:48:45 CET 2012
Hi Jigal,
thanks for that comment. But as I see in the source code, uidInList is
handled with t3lib_div::intExplode() internally. So in my opinion it's
safe enogh. Or am I wrong?
Greetings
Albrecht
Am 27.10.12 21:53, schrieb Jigal van Hemert:
> Hi,
>
> On 27-10-2012 18:16, Albrecht Köhnlein wrote:
>> uidInList.data = GP:article
>
> Please use markers [1] to insert external data into query parts. Now
> you're only introducing potential SQL injection problems. Each marker
> value is properly escaped and quoted to prevent SQL injections.
>
> Markers can be used in any other property of 'select' and are available
> in all supported TYPO3 versions.
>
> [1]
> http://typo3.org/documentation/document-library/core-documentation/doc_core_tsref/4.7.0/view/1/5/#id552862
>
>
More information about the TYPO3-project-typo3v4mvc
mailing list