[TYPO3-core] RFC #13940 Preventing SQL injections in CONTENT object
Tyler Kraft
tyler.kraft at netefficiency.co.uk
Wed Apr 14 14:13:43 CEST 2010
Hi Jigal
A bit late, but one quick question - will this also then work with
andWhere and if? For instance can I do this with the markers?
select.andWhere.cObject = COA
select.andWhere.cObject.5 = TEXT
.....
select.andWhere.cObject.10 = TEXT
select.andWhere.cObject.10.dataWrap = (jtitle LIKE '%###ser###%' OR jdes
LIKE '%###ser###%' OR jpspec LIKE '%###ser###%'')
select.andWhere.cObject.10.if.isTrue = ###ser###
Thanks,
Tyler
Jigal van Hemert wrote:
> Version 4 attached.
>
> After discussing things with Susanne tonight the following functionality
> is included:
>
> CONTENT.select has a new property 'markers'. This is an array of marker
> names. Each marker name has a property 'value' to set a value directly
> and supports all stdWrap properties. To interpret the data as a comma
> separated list an extra property 'commaSeparatedList' is added; when set
> the value is quoted as a comma separated list.
>
> Example:
>
> 10 = CONTENT
> 10 {
> table = tt_news
> select {
> selectFields = *
> pidInList = 4
> where = title > ###name### AND uid IN (###list###)
> markers {
> name.data = GP:first
> name.wrap = a|a
> list.value = 1,2
> list.commaSeparatedList = 1
> }
> }
> }
>
> Documentation for TSref:
>
> markers : array of marker names; each name supports:
>
> value
> type: value
> description: The value of the marker
>
> commaSeparatedList
> type: bool
> description: If set the value is parsed as a comma separated list
>
> (stdWrap properties)
>
> Thanks to Martin, Steffen, Susanne and others for their feedback and
> arguments.
>
More information about the TYPO3-team-core
mailing list