[TYPO3-dev] CONTENT object and SQL injection prevention

Ernesto Baschny [cron IT] ernst at cron-it.de
Sun Mar 28 17:59:02 CEST 2010


Hi Jigal,

Jigal van Hemert schrieb am 27.03.2010 16:03:

> As an aftermath of Bugday I tried to make a solution for the problem
> that there is no good way to prevent SQL injection problems in queries
> in the TypoScript CONTENT object.
> C&C are very much welcome!
> 
> I'd like a few opinions before submitting this to the core list.
(...)
> This patch allows the use of named parameter markers in most of the
> 'select' properties.
> 
> Example:
> 
> 10 = CONTENT
> 10 {
>  table = tt_news
>  select {
>   selectFields = title,uid
>   pidInList = 4
>   where = title > :whatever
>     # :whatever is a named marker, see below for the value definition
>   markers {
>    whatever.data = GP:first
>   }
>  }
> }

Sounds nice, yea! Maybe use the same "markers" syntax as we are used:

   where = title > ###whatever###

What do you think?

> In the new 'markers' property you can setup the named parameter markers
> and their values. Each marker has full stdWrap support, so the data can
> be built from any source.
> If the value is an integer or a float (also an integer or float in a
> string) it is inserted as a numerical value, otherwise it's fed through
> t3lib_DB::fullQuoteStr().

> Extra features
> ===============
> - All properties (excepting 'andWhere') support these markers, so it
> becomes possible to make paginated output in TS.
> - I'd like to nominate andWhere to be marked as deprecated with this
> feature, because the support of stdWrap allows SQL injection problems to
> occur; with named markers the functionality of andWhere is moved to a
> safer place.

Great.

> Questions
> =========
> I'm not sure if there is a good way in the core to handle unknown
> markers where some have only a value ['markername'], others have only
> properties ['markername.'] and others have both.
> The solution in the patch is to walk through the array and add elements
> with an empty value if there are only properties.

I think I have done that in the past too. Maybe you could do an
array_keys(), and use array_map() to get a list of all properties
(filtering the "." suffix) and then walk through a list of properties.

Having that functionality in core would be nice, thou. For example a
Iterator object which could be used directly in a foreach.


Cheers,
Ernesto




More information about the TYPO3-dev mailing list