[TYPO3-mvc] SQL-Injection orderBy
Helmut Hummel
helmut at typo3.org
Thu Jun 24 22:04:56 CEST 2010
Hi,
On 24.06.10 11:09, Christian Baer wrote:
>
> I have this variable open when I implemented a pager with
> sorting-options. Of course I know I can (or should) check this in my
> code, but shouldn't the method $query->setOrderings(...) be safe anyway?
I'd say that since the classname is known to the query object, the
latter should check if the property exists in this class (through
reflection) and throw an exception if it is not present.
But I'm not too familiar with extbase.
Helmut
More information about the TYPO3-project-typo3v4mvc
mailing list