[TYPO3-dev] CONTENT object and SQL injection prevention

Martin Holtz typo3ng_2009 at martinholtz.de
Mon Mar 29 12:57:08 CEST 2010


Hi Jigal,

> In the new 'markers' property you can setup the named parameter markers
> and their values. Each marker has full stdWrap support, so the data can
> be built from any source.
> If the value is an integer or a float (also an integer or float in a
> string) it is inserted as a numerical value, otherwise it's fed through
> t3lib_DB::fullQuoteStr().
afaik you should use fullQuoteStr() for all values to be DBAL
compatible. Otherwise it could happen, that you send an integer to an
varchar which could fail on some DBs.

And you need the second parameter "table" for fullQuoteStr() so it
should be added to the markers configuration as well.

Respect join - the tables can be different for each field in a where clause.

thanks,
martin
-- 
Martin Holtz - elemente websolutions http://www.elemente-websolutions.ms

http://wiki.typo3.org/Ts45min - TypoScript in "45" minutes
http://wiki.typo3.org/De:ts45min - (auch in Deutsch)




More information about the TYPO3-dev mailing list