[TYPO3-dev] CONTENT object and SQL injection prevention

Jigal van Hemert jigal at xs4all.nl
Sun Mar 28 22:28:33 CEST 2010


Thanks for your reply!

Ernesto Baschny [cron IT] wrote:
> Jigal van Hemert schrieb am 27.03.2010 16:03:
>>     # :whatever is a named marker, see below for the value definition
> Sounds nice, yea! Maybe use the same "markers" syntax as we are used:
>    where = title > ###whatever###

No problem. Good idea to stick to a familiar syntax.

>> I'm not sure if there is a good way in the core to handle unknown
>> markers where some have only a value ['markername'], others have only
>> properties ['markername.'] and others have both.
> 
> I think I have done that in the past too. Maybe you could do an
> array_keys(), and use array_map() to get a list of all properties
> (filtering the "." suffix) and then walk through a list of properties.
> 
> Having that functionality in core would be nice, thou. For example a
> Iterator object which could be used directly in a foreach.

array_map() is often rather slow, but that would be the problem for that 
functionality.
I think I'll leave that for another RFC and mark it as a TODO in this 
function.

-- 
Jigal van Hemert.




More information about the TYPO3-dev mailing list