[TYPO3-core] RFC #13940 Preventing SQL injections in CONTENT object

[Martin Holtz]

Hi Jigal,



> Version 3
> 
> Martin Holtz wrote:
>> if you define an string with comma in it:
>> your patch quotes both parts separatly:
> 
> Good catch! I followed your suggestion. Attached is version 3.
great, thanks!

i uploaded a patch with the testcases, but didnt tested yet with your third 
version. And i well, there is potential, that i did something wrong - 
especially with the NULL tests.

I think you have to remove the check for NULL values - IMHO it is not 
possible to check if a value should be NULL or "NULL".

SELECT * FROM tt_content WHERE header = "null"

is not possible than. As the "null" would be treated as NULL. And afaik in 
SQL i should use 'header IS NULL' instead of 'header = NULL' (i am not sure, 
if that would work).
So, at least the comparision to an string should be removed there. I am not 
sure, if is possible to get a NULL value there, but check for is_null() 
should not harm.

Another thing is your replacement of quotes within the comma separated list. 
So you treat "hello world" different than "hello world","hallo welt" (with 
commaSeparatedList enabled).
IMHO you should remove the parts where you remove the quotes.


And i didnt tested it yet, but i think the part
"replace the markers in the queryParts to handle stdWrap"
does not work as expected.
It should be placed right after "$queryParts = $this->getWhere($table,
$conf,TRUE);". Otherwise there are SQL-Querys where an marker, which has 
been introduced by andWhere, is not yet replaced.

I do not think i will be able to test that before monday.
And i would be really happy, if that would get into 4.4, so i will try to 
find some time.

thanks,
martin