[TYPO3-mvc] SQL-Injection orderBy

Christian Baer chr.baer at googlemail.com
Thu Jun 24 11:09:04 CEST 2010


Hi,

maybe I just found a possibility for SQL-Injection in 
Tx_Extbase_Persistence_Storage_Typo3DbBackend, could someone check this 
please?


When you build a query with
$query->setOrderings(array ( $field => DESC ));
the variable $field is NOT stripped or escaped or anything similar by 
default. Shouldn't it be?

I have this variable open when I implemented a pager with 
sorting-options. Of course I know I can (or should) check this in my 
code, but shouldn't the method $query->setOrderings(...) be safe anyway?


Regards,
Christian


More information about the TYPO3-project-typo3v4mvc mailing list