[TYPO3-core] RFC: Feature Request #6882: Enable stdWrap for select.where
Jigal van Hemert
jigal at xs4all.nl
Tue Sep 29 23:00:53 CEST 2009
Tyler Kraft wrote:
> Imho having stdWrap on the andWhere IS a security risk (as Joey has
> pointed out numerous times), and it probably does need to have a warning
> added in TSref. And if one programes PHP and knows SQL then you could
> accomplish lots using it. But for someone that doesn't know PHP or SQL
> having stdWrap on these other properties would allow them (me) to make
> much greater use of the select.
The real problem of course is the possibility to insert data in the
query. For the select properties it should not be possible to use any
data insertion options directly. Instead some kind of variable binding
mechanism like in PHPs PDO could be used. These "variables" should then
be escaped/quoted to prevend SQL injection problems.
It could take the form of a new CONTENT object, marking the current
CONTENT object as deprecated and putting warnings somewhere in the backend.
Yes, maybe a bit too harsh for some, but closing this hole once and for
all would mean a step forward imho.
Regards,
--
Jigal van Hemert.
More information about the TYPO3-team-core
mailing list