[TYPO3-core] RFC #12094: Bug: stdWrap function fullQuoteStr
Ernesto Baschny [cron IT]
ernst at cron-it.de
Thu Oct 1 17:19:13 CEST 2009
Hi Martin,
I like the idea, but would not call it "fullQuoteString", but instead
"sqlQuote" because that is more or less where it is to be used.
fullQuoteString is the function name in TYPO3_DB, but in this context it
is clear that is doing SQL quoting.
This is still not a review. Have not even looked at the patch
(Content-Type: application/applefile, cannot be displayed inline, please
change that in your mail client).
Cheers,
Ernesto
Martin Holtz schrieb:
> This is an SVN patch request.
>
> Type: New feature
>
> Bugtracker references:
> http://bugs.typo3.org/view.php?id=12094
>
> Branches:
> trunk
>
> Problem:
>
> # SQL-Injection possible:
> 1 = CONTENT
> 1.table = tt_content
> 1.select {
> andWhere.cObject = TEXT
> andWhere.cObject.data = GPvar:parameter
> andWhere.cObject.wrap = header = |
> }
>
> it is not possible to secure that agains sql-injection, other than use a
> userFunc to sanitize the input.
>
> Solution:
>
> 1 = CONTENT
> 1.table = tt_content
> 1.select {
> andWhere.cObject = TEXT
> andWhere.cObject.data = GPvar:parameter
> # use fullQuoteStr - expects the table-name as value
> andWhere.cObject.fullQuoteStr = tt_content
> andWhere.cObject.wrap = header = |
> }
>
>
> In my eyes, it is really important to provide such an function.
> Otherwise the users would think that TYPO3 cares for him. If there is a
> function, the most developers would be aware of the sql-injection.
>
> gruss,
> martin
More information about the TYPO3-team-core
mailing list