[TYPO3-dev] CONTENT object and SQL injection prevention
Martin Holtz
typo3ng_2009 at martinholtz.de
Mon Mar 29 12:59:48 CEST 2010
Hi,
>> but it would not be possible to create a dynamic query then?
>>
>> where = title > :whatever
>> where.append = CASE
>
> True. You could do something with conditions (although that would have
> other disadvantages).
>
> Then again, the PDO::prepare() does not allow dynamic queries either :-)
>
> But you truly caught one disadvantage; good catch!
i would like to have the freedom to build the query as i want to.
So, why do not add stdWrap to where - with using PDO::prepare at the
end. So the developer has a powerfull mechanism to be SQL-Injection
safe. If he does not use that mechanism it is like not using
htmlspecialchars() or just using "php-content-element".
So, i really like that solution - but only with full stdWrap support.
gruss,
martin
--
Martin Holtz - elemente websolutions http://www.elemente-websolutions.ms
http://wiki.typo3.org/Ts45min - TypoScript in "45" minutes
http://wiki.typo3.org/De:ts45min - (auch in Deutsch)
More information about the TYPO3-dev
mailing list