[TYPO3-core] RFC #12094: Bug: stdWrap function fullQuoteStr
Martin Holtz
typo3ng_2009 at martinholtz.de
Thu Oct 1 17:58:37 CEST 2009
Hi Georg,
>> # SQL-Injection possible:
>> 1 = CONTENT
>> 1.table = tt_content
>> 1.select {
>> andWhere.cObject = TEXT
>> andWhere.cObject.data = GPvar:parameter
>> andWhere.cObject.wrap = header = |
>> }
>>
>> it is not possible to secure that agains sql-injection,
>
> there is intval for stdWrap, so of course it is possible!
i should have pointed out that it is not possible, if you want to use a
string.
sth. like
andWhere.cObject.wrap = header = "hello world"
regards,
martin
More information about the TYPO3-team-core
mailing list