[TYPO3-core] RFC #12094: Bug: stdWrap function fullQuoteStr

Martin Holtz typo3ng_2009 at martinholtz.de
Thu Oct 1 16:06:41 CEST 2009


This is an SVN patch request.

Type: New feature

Bugtracker references:
http://bugs.typo3.org/view.php?id=12094

Branches:
trunk

Problem:

# SQL-Injection possible:
1 = CONTENT
1.table = tt_content
1.select {
   andWhere.cObject = TEXT
   andWhere.cObject.data = GPvar:parameter
   andWhere.cObject.wrap = header = |
}

it is not possible to secure that agains sql-injection, other than use a
userFunc to sanitize the input.

Solution:

1 = CONTENT
1.table = tt_content
1.select {
   andWhere.cObject = TEXT
   andWhere.cObject.data = GPvar:parameter
   # use fullQuoteStr - expects the table-name as value
   andWhere.cObject.fullQuoteStr = tt_content
   andWhere.cObject.wrap = header = |
}


In my eyes, it is really important to provide such an function.
Otherwise the users would think that TYPO3 cares for him. If there is a
function, the most developers would be aware of the sql-injection.

gruss,
martin


More information about the TYPO3-team-core mailing list