[TYPO3-dev] Problem with sql query
Stefan Bothner | [m]zentrale
stefan at m-zentrale.de
Tue Jun 20 13:07:52 CEST 2006
Hi Peter,
i've parameters like tx_myext_pi1[do]=doit.
How could i check this vars by t3lib_div::_GET();?
Kind regards
Stefan
> -----Original Message-----
> From: typo3-dev-bounces at lists.netfielders.de
> [mailto:typo3-dev-bounces at lists.netfielders.de] On Behalf Of
> Peter Niederlag
> Sent: Tuesday, June 20, 2006 10:57 AM
> To: typo3-dev at lists.netfielders.de
> Subject: Re: [TYPO3-dev] Problem with sql query
>
> Hi Brian,
>
> Brian Bendtsen schrieb:
> > Hi
> >
> > First of all I have this select statement in an extension I
> have developed:
> >
> > $query =
> >
> GLOBALS['TYPO3_DB']->SELECTquery('*','tx_boligtilbud_acceptet_
offers','caseid='.$this->piVars['sagsnummer'].'
> > AND user_id='.$this->piVars['userid'].'');
> > $res = $GLOBALS['TYPO3_DB']->sql(TYPO3_db, $query);
> >
> > if(!mysql_num_rows($res)==0) {
> > Do something...
> > }
> >
> > I suddenly get this error:
>
> You should be *very careful* with this Query. Usually piVars
> are set by user-input from FE/outside world. *NEVER EVER USE
> piVars without sanitizing in sql-queries*, that most liekly
> will make sql-injections possible!
>
> Be sure to have a look at the TYPO3 Coding guidlines and make
> yourself familiar with "sql-injection":
> http://typo3.org/documentation/document-library/core-documenta
tion/doc_core_cgl/current/view/1/5/
>
> There's some convenience-functions available in TYPO3_DB class.
>
> Greets,
> Peter
> --
> Peter Niederlag
> http://www.niekom.de * TYPO3 & EDV Dienstleistungen *
> http://www.typo3partner.net * professional services network *
> _______________________________________________
> TYPO3-dev mailing list
> TYPO3-dev at lists.netfielders.de
> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-dev
>
More information about the TYPO3-dev
mailing list