[TYPO3-dev] CONTENT object and SQL injection prevention
Martin Holtz
typo3ng_2009 at martinholtz.de
Mon Mar 29 14:36:07 CEST 2010
Hi Jigal,
>>> If the value is an integer or a float (also an integer or float in a
>>> string) it is inserted as a numerical value, otherwise it's fed through
>>> t3lib_DB::fullQuoteStr().
>> afaik you should use fullQuoteStr() for all values to be DBAL
>> compatible. Otherwise it could happen, that you send an integer to an
>> varchar which could fail on some DBs.
>
> Isn't this handled by DBAL? Numeric values in hardcoded parts of the
> query are also handled by DBAL, aren't they?
Sorry, i do not know. I thought not, but perhaps it does?
> As far as I've seen the table defined in the 'table' property of CONTENT
> is used for quoting. PHP only needs the connection for properly escaping
> the value for MySQL queries. I doubt that DBAL is capable of handling
> queries with different database systems for both ends of a join; a query
> should stay within a single database system. So, the table set in the
> 'table' property should be sufficient for fullQuoteStr().
ah, yes i think you are right.
So, it does not depend on the table how to quote, but only on the DBMS.
If i it means fullQuoteStr needs the table to detect which DBMS is used.
Then you are right - table should be enough.
gruss,
martin
--
Martin Holtz - elemente websolutions http://www.elemente-websolutions.ms
http://wiki.typo3.org/Ts45min - TypoScript in "45" minutes
http://wiki.typo3.org/De:ts45min - (auch in Deutsch)
More information about the TYPO3-dev
mailing list