[TYPO3-core] RFC #12094: Bug: stdWrap function fullQuoteStr
Martin Holtz
typo3ng_2009 at martinholtz.de
Thu Oct 1 16:06:41 CEST 2009
This is an SVN patch request.
Type: New feature
Bugtracker references:
http://bugs.typo3.org/view.php?id=12094
Branches:
trunk
Problem:
# SQL-Injection possible:
1 = CONTENT
1.table = tt_content
1.select {
andWhere.cObject = TEXT
andWhere.cObject.data = GPvar:parameter
andWhere.cObject.wrap = header = |
}
it is not possible to secure that agains sql-injection, other than use a
userFunc to sanitize the input.
Solution:
1 = CONTENT
1.table = tt_content
1.select {
andWhere.cObject = TEXT
andWhere.cObject.data = GPvar:parameter
# use fullQuoteStr - expects the table-name as value
andWhere.cObject.fullQuoteStr = tt_content
andWhere.cObject.wrap = header = |
}
In my eyes, it is really important to provide such an function.
Otherwise the users would think that TYPO3 cares for him. If there is a
function, the most developers would be aware of the sql-injection.
gruss,
martin
More information about the TYPO3-team-core
mailing list