[TYPO3-core] RFC: Feature Request #6882: Enable stdWrap for select.where
Tyler Kraft
tyler.kraft at netefficiency.co.uk
Tue Sep 29 12:13:20 CEST 2009
JoH asenau wrote:
>>>> The negative side-effect of applying this RFC to Trunk would be that
>>>> SQL injections then possible in TypoScript as well. I don't think
>>>> this is a good idea.
>>> Wouldn't that be possible already using select.andWhere?
>> Absolutely yes. Holding this feature back does not make sense at all.
>> I'd propose to include a warning into documentation not to use
>> unescaped GPvars with this feature.
>
> Then could you please enlighten people, how to escape values other than
> integers with TypoScript?
> IMHO it's not that easy.
>
Ok so that's really hard to do, and its a valid concern. And it
obviously needs more consideration.
Imho having stdWrap on the andWhere IS a security risk (as Joey has
pointed out numerous times), and it probably does need to have a warning
added in TSref. And if one programes PHP and knows SQL then you could
accomplish lots using it. But for someone that doesn't know PHP or SQL
having stdWrap on these other properties would allow them (me) to make
much greater use of the select.
So my thought is that instead of not having stdWrap on anything, can we
- for the time being at least - just add stdWrap to some of the
properties? pidInList already has stdWrap enabled, but can we also not
add it to 'uidInList', 'recursive', 'max', and 'begin'. We know that
these values always need to be integers, so after the stdWrap function
is called can't they automatically be escaped (or intvalled).
It's not perfect, but this way we can still greatly increase the
functionality of the select function without compromising security?
just my 2cents.
More information about the TYPO3-team-core
mailing list