[TYPO3-core] RFC: Bug #10099: Use TYPO3_DB->exec_SELECTcountRows() to determine the number of rows

Dmitry Dulepov dmitry at typo3.org
Mon Mar 9 11:08:30 CET 2009


Hi!

Michael Stucki wrote:
> One thing though: In tslib/class.tslib_fetce.php, you have added an
> intval() statement to the end of the $doublePostField check. I looked at
> the code and the value should always come from hexdec, which means
> "number". So the addition will most likely not hurt, but I can't say for
> sure. What I would like in any case is that this change (and more if I
> overlooked any others) is moved into a separate commit.
> 
> +1 after that part is removed.

This is not good. Extra security measures never hurt. If that part is ever changed above, the query will be unprotected and create an SQL injection. So I am -1 to removing intval().

-- 
Dmitry Dulepov
TYPO3 core team
http://dmitry-dulepov.com/


More information about the TYPO3-team-core mailing list