[TYPO3-core] RFC: #11531: Recycler filter produce wrong SQL
Steffen Kamper
info at sk-typo3.de
Wed Jul 15 15:41:38 CEST 2009
Hi,
Martin Kutschker schrieb:
> Steffen Kamper schrieb:
>> Hi,
>>
>> you're all right. it was one of mine extension where i filled it this
>> way, may be to test something.
>>
>> Just for general: even if it's illegal, shouldn't we use the principle:
>> don't trust user's input? I mean with this "wrong" input it cause
>> several SQL errors which are mostly invisible only with debug option.
>
> We must not trust data that comes from forms, URLs, files, the shell
> etc. I think we can trust the configuration.
>
> Actually I think we should loosen things a bit and throw exceptions. eg
> instead of using intval() on a configured (!) argument I would either
> pass it to the SQL server and raise an exception if the SQL query broke.
> This will increase performance. Or I'd test if the value is an integer,
> throwing an exception if it's not. Those implicit zero values are also
> not really good to debug. The only thing that's good about it that the
> server doesn't choke in a production environment on errors. But I think
> that there are better ways to handle this.
>
> Masi
ok, so i drop this RFC.
vg Steffen
More information about the TYPO3-team-core
mailing list