[TYPO3-dev] CONTENT object and SQL injection prevention

Jigal van Hemert jigal at xs4all.nl
Mon Mar 29 13:26:43 CEST 2010


Martin Holtz wrote:
>>> where = title > :whatever
>>> where.append = CASE
>> True. You could do something with conditions (although that would have
>> other disadvantages).

You could put a CONTENT block inside each CASE option. This would 
provide flexibility by selecting which query will be used.

>> Then again, the PDO::prepare() does not allow dynamic queries either :-)
> i would like to have the freedom to build the query as i want to.
> 
> So, why do not add stdWrap to where - with using PDO::prepare at the
> end. 

PDO isn't used at all by TYPO3. I used the named parameter markers of 
PDO as inspiration.

> So the developer has a powerfull mechanism to be SQL-Injection
> safe. If he does not use that mechanism it is like not using
> htmlspecialchars() or just using "php-content-element".
> 
> So, i really like that solution - but only with full stdWrap support.

The problem with just allowing stdWrap on properties is that the 
boundary between structure and data is gone.
.value = 23
.wrap = column='1|'
results in "column='123'"

Separating data and structure gives the possibility to filter data to 
prevent SQL injection problems, but you will lose some flexibility.

Adding stdWrap to a property introduces the possibility to use external 
data in all kinds of places. For an element which defines a database 
query this is dangerous.

-- 
Jigal van Hemert.




More information about the TYPO3-dev mailing list