[TYPO3-mvc] MySQL Error
Helmut Hummel
helmut.hummel at typo3.org
Fri Apr 26 22:47:55 CEST 2013
Hi Kevin,
On 26.04.13 12:16, Kevin Meckl wrote:
> $constraint[] = $query->like($field, '%' . $searchQuery . '%');
Just a short note on that:
If $field is user input, then this code is vulnerable to SQL Injection
attempts[1].
Kind regards,
Helmut
[1]<http://forge.typo3.org/projects/typo3v4-mvc/wiki/Extbase__FLOW3_Security_Cookbook>
--
Helmut Hummel
Release Manager TYPO3 6.0
TYPO3 Core Developer, TYPO3 Security Team Member
TYPO3 .... inspiring people to share!
Get involved: typo3.org
More information about the TYPO3-project-typo3v4mvc
mailing list