[TYPO3-core] RFC #12094: Bug: stdWrap function fullQuoteStr
Georg Ringer
mail-spam at ringerge.org
Thu Oct 1 17:28:30 CEST 2009
Martin Holtz schrieb:
> # SQL-Injection possible:
> 1 = CONTENT
> 1.table = tt_content
> 1.select {
> andWhere.cObject = TEXT
> andWhere.cObject.data = GPvar:parameter
> andWhere.cObject.wrap = header = |
> }
>
> it is not possible to secure that agains sql-injection,
there is intval for stdWrap, so of course it is possible!
Georg
More information about the TYPO3-team-core
mailing list