[TYPO3-core] RFC #13940 Preventing SQL injections in CONTENT object

Tue Apr 13 22:34:49 CEST 2010

+1 by reading and testin v4.

Test setup was

page.60 = CONTENT
page.60 {
    table = tt_content
    select {
        pidInList = 73
        where = header != ###whatever###
        orderBy = ###sortfield###
        markers {
          whatever.data = GP:first
          sortfield.value = sor
          sortfield.wrap = |ting
        }
    }
}

(if you destroy the where with renaming header to headder or something
you see the query generated in the debug message and can play around
with the stdWrap parameters)

On 13.04.2010 22:08, Jigal van Hemert wrote:
> Version 4 attached.
> 
> After discussing things with Susanne tonight the following functionality
> is included:
> 
> CONTENT.select has a new property 'markers'. This is an array of marker
> names. Each marker name has a property 'value' to set a value directly
> and supports all stdWrap properties. To interpret the data as a comma
> separated list an extra property 'commaSeparatedList' is added; when set
> the value is quoted as a comma separated list.
> 
> Example:
> 
> 10 = CONTENT
> 10 {
>     table = tt_news
>     select {
>         selectFields = *
>         pidInList = 4
>         where = title > ###name### AND uid IN (###list###)
>         markers {
>             name.data = GP:first
>             name.wrap = a|a
>             list.value = 1,2
>             list.commaSeparatedList = 1
>         }
>     }
> }
> 
> Documentation for TSref:
> 
> markers : array of marker names; each name supports:
> 
> value
>   type: value
>   description: The value of the marker
> 
> commaSeparatedList
>   type: bool
>   description: If set the value is parsed as a comma separated list
> 
> (stdWrap properties)
> 
> Thanks to Martin, Steffen, Susanne and others for their feedback and
> arguments.
>