[TYPO3-shop] Is there any input validation?
Franz Holzinger
franz at fholzinger.com
Mon Jan 8 10:46:50 CET 2007
Hello Reinhard,
> what i tried to find where checks to prevent sql injection or xss.
> moreover i did not even see validation providing that fields such as
> name or address are filled or that the values are in correct form.
>
> is it true that tt_products lacks such checks?
The database access is done via the DBAL API.
$TYPO3_DB->exec_INSERTquery($this->tablename, $newFields);
$TYPO3_DB->exec_UPDATEquery($this->tablename,$where_clause,$newFields);
This will call ESC and quotes inside TYPO3:
------------------------------------
function INSERTquery($table,$fields_values,$no_quote_fields=FALSE) {
// Table and fieldnames should be "SQL-injection-safe" when supplied
to this function (contrary to values in the arrays which may be insecure).
if (is_array($fields_values) && count($fields_values)) {
// quote and escape values
$fields_values =
$this->fullQuoteArray($fields_values,$table,$no_quote_fields);
-------------------------------------
The name and addresses can be entered in any form. This won't be checked.
XSS entries are however not filtered out:
If you enter this:
<script alert("Hello, XSS");></script>
Then it will remain.
However nothing will be displayed to other visitors of the homepage.
- Franz
More information about the TYPO3-project-tt-products
mailing list