[TYPO3-dev] CONTENT object and SQL injection prevention

Martin Holtz typo3ng_2009 at martinholtz.de
Mon Mar 29 12:59:48 CEST 2010


Hi,


>> but it would not be possible to create a dynamic query then?
>>
>> where = title > :whatever
>> where.append = CASE
> 
> True. You could do something with conditions (although that would have
> other disadvantages).
> 
> Then again, the PDO::prepare() does not allow dynamic queries either :-)
> 
> But you truly caught one disadvantage; good catch!

i would like to have the freedom to build the query as i want to.

So, why do not add stdWrap to where - with using PDO::prepare at the
end. So the developer has a powerfull mechanism to be SQL-Injection
safe. If he does not use that mechanism it is like not using
htmlspecialchars() or just using "php-content-element".

So, i really like that solution - but only with full stdWrap support.

gruss,
martin
-- 
Martin Holtz - elemente websolutions http://www.elemente-websolutions.ms

http://wiki.typo3.org/Ts45min - TypoScript in "45" minutes
http://wiki.typo3.org/De:ts45min - (auch in Deutsch)




More information about the TYPO3-dev mailing list