[TYPO3-core] RFC: Bug #10099: Use TYPO3_DB->exec_SELECTcountRows() to determine the number of rows

[Oliver Hader]

Hi Dmitry,

Dmitry Dulepov schrieb:
> Hi!
> 
> Michael Stucki wrote:
>> One thing though: In tslib/class.tslib_fetce.php, you have added an
>> intval() statement to the end of the $doublePostField check. I looked at
>> the code and the value should always come from hexdec, which means
>> "number". So the addition will most likely not hurt, but I can't say for
>> sure. What I would like in any case is that this change (and more if I
>> overlooked any others) is moved into a separate commit.
>>
>> +1 after that part is removed.
> 
> This is not good. Extra security measures never hurt. If that part is ever changed above, the query will be unprotected and create an SQL injection. So I am -1 to removing intval().

The value is processed before by calcDoublePostKey() which returns a
value generated by hexdec(). I don't think that this function supports
negative exponents on the base of 16 and that something like "ABCD.48"
is used. Thus, it returns an integer.

However, I'm fine with adding that additional intval() for the case that
method is called directly from any extension.

olly
-- 
Oliver Hader
TYPO3 Release Manager 4.3