[TYPO3-core] RFC: #11531: Recycler filter produce wrong SQL
Martin Kutschker
masi-no at spam-typo3.org
Wed Jul 15 15:32:09 CEST 2009
Steffen Kamper schrieb:
> Hi,
>
> you're all right. it was one of mine extension where i filled it this
> way, may be to test something.
>
> Just for general: even if it's illegal, shouldn't we use the principle:
> don't trust user's input? I mean with this "wrong" input it cause
> several SQL errors which are mostly invisible only with debug option.
We must not trust data that comes from forms, URLs, files, the shell
etc. I think we can trust the configuration.
Actually I think we should loosen things a bit and throw exceptions. eg
instead of using intval() on a configured (!) argument I would either
pass it to the SQL server and raise an exception if the SQL query broke.
This will increase performance. Or I'd test if the value is an integer,
throwing an exception if it's not. Those implicit zero values are also
not really good to debug. The only thing that's good about it that the
server doesn't choke in a production environment on errors. But I think
that there are better ways to handle this.
Masi
More information about the TYPO3-team-core
mailing list