[TYPO3-dev] CONTENT object and SQL injection prevention
Jigal van Hemert
jigal at xs4all.nl
Mon Mar 29 13:26:43 CEST 2010
Martin Holtz wrote:
>>> where = title > :whatever
>>> where.append = CASE
>> True. You could do something with conditions (although that would have
>> other disadvantages).
You could put a CONTENT block inside each CASE option. This would
provide flexibility by selecting which query will be used.
>> Then again, the PDO::prepare() does not allow dynamic queries either :-)
> i would like to have the freedom to build the query as i want to.
>
> So, why do not add stdWrap to where - with using PDO::prepare at the
> end.
PDO isn't used at all by TYPO3. I used the named parameter markers of
PDO as inspiration.
> So the developer has a powerfull mechanism to be SQL-Injection
> safe. If he does not use that mechanism it is like not using
> htmlspecialchars() or just using "php-content-element".
>
> So, i really like that solution - but only with full stdWrap support.
The problem with just allowing stdWrap on properties is that the
boundary between structure and data is gone.
.value = 23
.wrap = column='1|'
results in "column='123'"
Separating data and structure gives the possibility to filter data to
prevent SQL injection problems, but you will lose some flexibility.
Adding stdWrap to a property introduces the possibility to use external
data in all kinds of places. For an element which defines a database
query this is dangerous.
--
Jigal van Hemert.
More information about the TYPO3-dev
mailing list