[TYPO3-core] RFC: Feature Request #6882: Enable stdWrap for select.where

[Tyler Kraft]

JoH asenau wrote:
>>>> The negative side-effect of applying this RFC to Trunk would be that
>>>> SQL injections then possible in TypoScript as well. I don't think
>>>> this is a good idea.
>>> Wouldn't that be possible already using select.andWhere?
>> Absolutely yes. Holding this feature back does not make sense at all.
>> I'd propose to include a warning into documentation not to use
>> unescaped GPvars with this feature.
> 
> Then could you please enlighten people, how to escape values other than
> integers with TypoScript?
> IMHO it's not that easy.
> 


Ok so that's really hard to do, and its a valid concern.  And it 
obviously needs more consideration.

Imho having stdWrap on the andWhere IS a security risk (as Joey has 
pointed out numerous times), and it probably does need to have a warning 
added in TSref. And if one programes PHP and knows SQL then you could 
accomplish lots using it. But for someone that doesn't know PHP or SQL 
having stdWrap on these other properties would allow them (me) to make 
much greater use of the select.

So my thought is that instead of not having stdWrap on anything, can we 
- for the time being at least - just add stdWrap to some of the 
properties? pidInList already has stdWrap enabled, but can we also not 
add it to 'uidInList', 'recursive', 'max', and 'begin'. We know that 
these values always need to be integers, so after the stdWrap function 
is called can't they automatically be escaped (or intvalled).

It's not perfect, but this way we can still greatly increase the 
functionality of the select function without compromising security?

just my 2cents.