[TYPO3-dev] CONTENT object and SQL injection prevention
Jigal van Hemert
jigal at xs4all.nl
Mon Mar 29 13:59:09 CEST 2010
Martin Holtz wrote:
>> If the value is an integer or a float (also an integer or float in a
>> string) it is inserted as a numerical value, otherwise it's fed through
>> t3lib_DB::fullQuoteStr().
> afaik you should use fullQuoteStr() for all values to be DBAL
> compatible. Otherwise it could happen, that you send an integer to an
> varchar which could fail on some DBs.
Isn't this handled by DBAL? Numeric values in hardcoded parts of the
query are also handled by DBAL, aren't they?
> And you need the second parameter "table" for fullQuoteStr() so it
> should be added to the markers configuration as well.
>
> Respect join - the tables can be different for each field in a where clause.
And how would you handle a single marker in two places where one is
related to one table and the other to another table?
Add aliases to the equation and it becomes very complicated to detect
the right table.
As far as I've seen the table defined in the 'table' property of CONTENT
is used for quoting. PHP only needs the connection for properly escaping
the value for MySQL queries. I doubt that DBAL is capable of handling
queries with different database systems for both ends of a join; a query
should stay within a single database system. So, the table set in the
'table' property should be sufficient for fullQuoteStr().
--
Jigal van Hemert.
More information about the TYPO3-dev
mailing list