[TYPO3] Making querystrings SQL safe?

Bob bitsandbob at googlemail.com
Mon Apr 7 11:16:58 CEST 2008 

OK, I've found a solution. But I feel like I've reinvented the wheel. 
And while my "wheel" works, it's not very elegant (a bit of a square 
wheel, maybe!) I'm surprised that I needed to create external functions 
to do what standard PHP functions do. And there's got to be a better way 
to handle ".data"...

Anyway, here's how I've done it. But I'd really appreciate it if someone 
could give me a clue how I *should* have done it.

Here's my TypoScript (abbreviated):

includeLibs.myFunctions = fileadmin/myFunctions.php

temp.safeSQL = USER
temp.safeSQL.userFunc = user_myFunctions->safeSQL
temp.relevantEventsData = LOAD_REGISTER
temp.relevantEventsData.dayName.cObject < temp.safeSQL
temp.relevantEventsData.dayName.cObject.data = GPvar:day
temp.relevantEventsPages = LOAD_REGISTER
temp.relevantEventsPages.eventuids.cObject = COA
temp.relevantEventsPages.eventuids.cObject {
   10 = CONTENT
   10.table = pages
   10.select.pidInList.data = {$EventDataUID}
   10.select.andWhere.data = register:dayName
   10.select.andWhere.wrap = title LIKE '|'
   10.select.andWhere.if.isTrue.data = register:dayName
   10.renderObj = TEXT
   10.renderObj.field = uid
   10.renderObj.noTrimWrap = ||, |
   20 = TEXT
   20.data = register:regionuids
}
page.1000 < temp.relevantEventsData
page.1010 < temp.relevantEventsPages
page.1020 < styles.content.get
page.1020.select.pidInList.data = register:eventuids


And here's my PHP:

<?
   class user_myFunctions{
     var $cObj;// The backReference to the mother cObj object set at 
call time
     function safeSQL($content,$conf){
       # Replace apostrophes with double apostrophes to prevent
       # apostrophes in query strings from breaking any SQL that
       # they end up being used in
       $content.=str_replace("'", "''", 
user_myFunctions::combineValueAndData($conf));
       return $content;
     }
     function combineValueAndData($conf){
       # Combines value in .value with data referred to by .data
       return $conf["value"].user_myFunctions::resolveData($conf["data"]);
     }
     function resolveData($data){
       # Get the actual data referred to by the reference in .data
       if ($data <> ""){
         list($type, $source) = split(":", $data, 2);
         switch ($type){
           case "GPvar":
           $resolvedData.=t3lib_div::_GP($source);
           break;
         }
         /* Need to handle register, etc. here too... */
       }
       return $resolvedData;
     }
   }
?>


Thanks,

Bob

More information about the TYPO3-english mailing list