[TYPO3-core] RFC #12094: Bug: stdWrap function fullQuoteStr

Georg Ringer mail-spam at ringerge.org
Thu Oct 1 17:28:30 CEST 2009


Martin Holtz schrieb:
> # SQL-Injection possible:
> 1 = CONTENT
> 1.table = tt_content
> 1.select {
>    andWhere.cObject = TEXT
>    andWhere.cObject.data = GPvar:parameter
>    andWhere.cObject.wrap = header = |
> }
> 
> it is not possible to secure that agains sql-injection,

there is intval for stdWrap, so of course it is possible!

Georg


More information about the TYPO3-team-core mailing list