[TYPO3-mvc] SQL-Injection orderBy
Christian Baer
chr.baer at googlemail.com
Thu Jun 24 15:23:17 CEST 2010
Hi,
that's what I did, I implemented a whitelist.
Regards,
Christian
Am 24.06.10 13:10, schrieb Nikolas Hagelstein:
> Hi,
>
>> When you build a query with
>> $query->setOrderings(array ( $field => DESC ));
>> the variable $field is NOT stripped or escaped or anything similar by
>> default. Shouldn't it be?
> Imho yes, but if you use the action argument directly you should add a
> validation rule to the action argument anyway.
> E.g. regexp ala /(field1)|(field2)|(field3)/
>
>
> Cheers,
> Nikolas
>
More information about the TYPO3-project-typo3v4mvc
mailing list