[TYPO3-mvc] SQL-Injection orderBy
Christian Baer
chr.baer at googlemail.com
Thu Jun 24 11:09:04 CEST 2010
Hi,
maybe I just found a possibility for SQL-Injection in
Tx_Extbase_Persistence_Storage_Typo3DbBackend, could someone check this
please?
When you build a query with
$query->setOrderings(array ( $field => DESC ));
the variable $field is NOT stripped or escaped or anything similar by
default. Shouldn't it be?
I have this variable open when I implemented a pager with
sorting-options. Of course I know I can (or should) check this in my
code, but shouldn't the method $query->setOrderings(...) be safe anyway?
Regards,
Christian
More information about the TYPO3-project-typo3v4mvc
mailing list