[TYPO3-core] RFC #13940 Preventing SQL injections in CONTENT object
Susanne Moog
typo3 at susannemoog.de
Tue Apr 13 19:07:48 CEST 2010
Hey Jigal,
On 08.04.2010 22:00, Jigal van Hemert wrote:
> How to test:
> 10 = CONTENT
> 10 {
> table = tt_news
> select {
> selectFields = title,uid
> pidInList = 4
> where = title > ###whatever###
> orderBy = ###sortfield###
> markers {
> whatever.data = GP:first
> sortfield.value = ti
> sortfield.wrap = |tle
> }
> }
> }
>
here is my review. First of all, I really like the feature, I have
however some comments:
your example above does not work that way. You say:
sortfield.value = ti
sortfield.wrap = |tle
which does not work. What works is:
sortfield = ti
sortfield.wrap = |tle
(You have to debug the sql statement to see that the first one is not
working, as mySQl just happily ignores wrong ORDER BY statements [or
probably does something with it, but not what we want...])
Then the function getQueryMarkers itself is pretty complicated because
it first builds dummy markers without dots, then goes back to the ones
with dots to fetch the configuration from them. Why not just use the
ones with dots (and use marker.value for simple string content) and
replace the dots later - e.g. where you replace the markers in the
properties?
The rest of the patch looks really good. If you want to discuss this
further you can also contact me off-list via skype (susanne.moog).
Best regards,
Susanne
More information about the TYPO3-team-core
mailing list