[TYPO3-dev] Problem with sql query
Peter Niederlag
niederlag at ikd01.de
Tue Jun 20 10:57:09 CEST 2006
Hi Brian,
Brian Bendtsen schrieb:
> Hi
>
> First of all I have this select statement in an extension I have developed:
>
> $query =
> GLOBALS['TYPO3_DB']->SELECTquery('*','tx_boligtilbud_acceptet_offers','caseid='.$this->piVars['sagsnummer'].'
> AND user_id='.$this->piVars['userid'].'');
> $res = $GLOBALS['TYPO3_DB']->sql(TYPO3_db, $query);
>
> if(!mysql_num_rows($res)==0) {
> Do something...
> }
>
> I suddenly get this error:
You should be *very careful* with this Query. Usually piVars are set by
user-input from FE/outside world. *NEVER EVER USE piVars without
sanitizing in sql-queries*, that most liekly will make sql-injections
possible!
Be sure to have a look at the TYPO3 Coding guidlines and make yourself
familiar with "sql-injection":
http://typo3.org/documentation/document-library/core-documentation/doc_core_cgl/current/view/1/5/
There's some convenience-functions available in TYPO3_DB class.
Greets,
Peter
--
Peter Niederlag
http://www.niekom.de * TYPO3 & EDV Dienstleistungen *
http://www.typo3partner.net * professional services network *
More information about the TYPO3-dev
mailing list