[TYPO3-core] RFC: Feature Request #6882: Enable stdWrap for select.where
Stefan Frömken
firma at sfroemken.de
Thu Oct 1 14:23:05 CEST 2009
What about to set an additional setting like HSC? Set this setting to 1
as default. So query will be escaped per default.
The Admin can decide himself to set this setting to 0.
Am 28.09.2009 22:25, schrieb Sebastian Gebhard:
> Andreas schrieb:
>>> The negative side-effect of applying this RFC to Trunk would be that
>>> SQL injections then possible in TypoScript as well. I don't think this
>>> is a good idea.
>>
>> Wouldn't that be possible already using select.andWhere?
> Absolutely yes. Holding this feature back does not make sense at all.
> I'd propose to include a warning into documentation not to use unescaped
> GPvars with this feature.
More information about the TYPO3-team-core
mailing list