[TYPO3-dev] CONTENT object and SQL injection prevention
Ernesto Baschny [cron IT]
ernst at cron-it.de
Sun Mar 28 17:59:02 CEST 2010
Hi Jigal,
Jigal van Hemert schrieb am 27.03.2010 16:03:
> As an aftermath of Bugday I tried to make a solution for the problem
> that there is no good way to prevent SQL injection problems in queries
> in the TypoScript CONTENT object.
> C&C are very much welcome!
>
> I'd like a few opinions before submitting this to the core list.
(...)
> This patch allows the use of named parameter markers in most of the
> 'select' properties.
>
> Example:
>
> 10 = CONTENT
> 10 {
> table = tt_news
> select {
> selectFields = title,uid
> pidInList = 4
> where = title > :whatever
> # :whatever is a named marker, see below for the value definition
> markers {
> whatever.data = GP:first
> }
> }
> }
Sounds nice, yea! Maybe use the same "markers" syntax as we are used:
where = title > ###whatever###
What do you think?
> In the new 'markers' property you can setup the named parameter markers
> and their values. Each marker has full stdWrap support, so the data can
> be built from any source.
> If the value is an integer or a float (also an integer or float in a
> string) it is inserted as a numerical value, otherwise it's fed through
> t3lib_DB::fullQuoteStr().
> Extra features
> ===============
> - All properties (excepting 'andWhere') support these markers, so it
> becomes possible to make paginated output in TS.
> - I'd like to nominate andWhere to be marked as deprecated with this
> feature, because the support of stdWrap allows SQL injection problems to
> occur; with named markers the functionality of andWhere is moved to a
> safer place.
Great.
> Questions
> =========
> I'm not sure if there is a good way in the core to handle unknown
> markers where some have only a value ['markername'], others have only
> properties ['markername.'] and others have both.
> The solution in the patch is to walk through the array and add elements
> with an empty value if there are only properties.
I think I have done that in the past too. Maybe you could do an
array_keys(), and use array_map() to get a list of all properties
(filtering the "." suffix) and then walk through a list of properties.
Having that functionality in core would be nice, thou. For example a
Iterator object which could be used directly in a foreach.
Cheers,
Ernesto
More information about the TYPO3-dev
mailing list