[TYPO3-dev] CONTENT object and SQL injection prevention

Jigal van Hemert jigal at xs4all.nl
Mon Mar 29 13:59:09 CEST 2010


Martin Holtz wrote:
>> If the value is an integer or a float (also an integer or float in a
>> string) it is inserted as a numerical value, otherwise it's fed through
>> t3lib_DB::fullQuoteStr().
> afaik you should use fullQuoteStr() for all values to be DBAL
> compatible. Otherwise it could happen, that you send an integer to an
> varchar which could fail on some DBs.

Isn't this handled by DBAL? Numeric values in hardcoded parts of the 
query are also handled by DBAL, aren't they?

> And you need the second parameter "table" for fullQuoteStr() so it
> should be added to the markers configuration as well.
> 
> Respect join - the tables can be different for each field in a where clause.

And how would you handle a single marker in two places where one is 
related to one table and the other to another table?

Add aliases to the equation and it becomes very complicated to detect 
the right table.

As far as I've seen the table defined in the 'table' property of CONTENT 
is used for quoting. PHP only needs the connection for properly escaping 
the value for MySQL queries. I doubt that DBAL is capable of handling 
queries with different database systems for both ends of a join; a query 
should stay within a single database system. So, the table set in the 
'table' property should be sufficient for fullQuoteStr().

-- 
Jigal van Hemert.




More information about the TYPO3-dev mailing list