[TYPO3-core] RFC #13940 Preventing SQL injections in CONTENT object

[Jigal van Hemert]

Version 3

Martin Holtz wrote:
> if you define an string with comma in it:
> your patch quotes both parts separatly:

Good catch! I followed your suggestion. Attached is version 3.

Summary:

This is an SVN patch request.

Type: feature

Bugtracker references:
http://bugs.typo3.org/view.php?id=13940

Branches:
trunk


Problem: select.andWhere supports stdWrap, which makes SQL injection
problems possible.

Lots of people like to have stdWrap support for other properties of
'select' too, but this would lead to more SQL injection holes.

Solution:
- all properties of 'select' support the use of markers, even inside 
stdWrap'ed properties

- the markers are defined in a separate 'markers' property and properly
esacaped/quoted before injecting the values
   * numeric values are not quoted, because comparison rules are 
different for quoted and unqouted values in MySQL. DBAL will (have to) 
handle this for other DBMSs.
   * NULL values are supported
   * comma separated lists are supported by setting the property 
'commaSeparatedList' to 1; each value in the list will be handled separately

Thanks to Martin Holtz for his testing and feedback.

How to test:
10 = CONTENT
10 {
     table = tt_news
     select {
         selectFields = title,uid
         pidInList = 4
         where = title > ###whatever###
	orderBy = ###sortfield###
         markers {
             whatever.data = GP:first
	    sortfield.value = ti
	    sortfield.wrap = |tle
         }
     }
}

-- 
Jigal van Hemert.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 13940_trunk_v3.diff
URL: <http://lists.typo3.org/pipermail/typo3-team-core/attachments/20100408/a5a7319b/attachment.txt>