[TYPO3-mvc] SQL-Injection orderBy

Nikolas Hagelstein lists at shr-now.de
Thu Jun 24 13:10:09 CEST 2010

Previous message: [TYPO3-mvc] SQL-Injection orderBy
Next message: [TYPO3-mvc] SQL-Injection orderBy
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

> When you build a query with
> $query->setOrderings(array ( $field => DESC ));
> the variable $field is NOT stripped or escaped or anything similar by
> default. Shouldn't it be?
Imho yes, but if you use the action argument directly you should add a
validation rule to the action argument anyway.
E.g. regexp ala /(field1)|(field2)|(field3)/


Cheers,
Nikolas

Previous message: [TYPO3-mvc] SQL-Injection orderBy
Next message: [TYPO3-mvc] SQL-Injection orderBy
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the TYPO3-project-typo3v4mvc mailing list