[TYPO3-core] RFC Feature #11193: Enable stdWrap on select properties groupBy and orderBy
JoH asenau
info at cybercraft.de
Tue Jun 2 13:35:54 CEST 2009
As I already posted as a note to some of the "add stdWrap to select
parameters" issues, these stdWrap parameters open up new possibilities for
TS-Admins to open up security holes without even noticing it.
We already got the problem that - andWhere.data = GPvar:blah - leads to a
possible MySQL injection, because the core doesn't escape incoming values
here and TS can't do it properly either.
So IF you really want to apply more stdWrap properties for select
parameters, you should
a) clearly state that it's up to the admin to escape incoming values in TS
or
b) make sure incoming values will be escaped properly by the core
Just my 2 cents
Joey
--
Wenn man keine Ahnung hat: Einfach mal Fresse halten!
(If you have no clues: simply shut your gob sometimes!)
Dieter Nuhr, German comedian
Twitter: http://twitter.com/bunnyfield
Xing: http://contact.cybercraft.de
T3 cookbook (2nd edition): http://www.4any1.de
TYPO3 Schulung: http://workshops.eqony.com
More information about the TYPO3-team-core
mailing list