[TYPO3-dev] [TYPO3-core] RFC #12094: Bug: stdWrap function fullQuoteStr
Dmitry Dulepov
dmitry.dulepov at gmail.com
Fri Oct 2 15:56:46 CEST 2009
Hi!
JoH asenau wrote:
> So did you already contact the security team to tell them that there might
> be the possibility of MySQL injections in case somebody doesn't escape user
> generated values in a SELECT query?
No, I didn't.
> Come on, Dmitry, this is ridiculous. We are not talking about a security
> hole in TYPO3 itself but about holes that admins might create when using
> TypoScript. It's the same as if you tell people not to use unescaped GET
> vars in PHP when creating SELECT queries. This is common knowledge and
> nothing for the security team and definitely nothing to keep secret.
>
> But lets move the discussion to the dev list.
It is not the first and not the last time when different security issues are discussed openly. Sometimes people simply do not understand that it is dangerous. Therefore it is much better that *anything* related to security goes through the security team. False alarm is better than missed alarm. Ever saw it from this point of view?
--
Dmitry Dulepov
Facebook: http://www.facebook.com/dmitryd
Twitter: http://twitter.com/dmitryd
Skype: liels_bugs
More information about the TYPO3-dev
mailing list