[TYPO3-dev] CONTENT object and SQL injection prevention

Jigal van Hemert jigal at xs4all.nl
Mon Mar 29 11:59:37 CEST 2010


Martin Holtz wrote:
> but it would not be possible to create a dynamic query then?
> 
> where = title > :whatever
> where.append = CASE

True. You could do something with conditions (although that would have 
other disadvantages).

Then again, the PDO::prepare() does not allow dynamic queries either :-)

But you truly caught one disadvantage; good catch!

-- 
Jigal van Hemert.




More information about the TYPO3-dev mailing list