[TYPO3-core] RFC #13940 Preventing SQL injections in CONTENT object
Jigal van Hemert
jigal at xs4all.nl
Wed Apr 14 15:21:26 CEST 2010
Tyler Kraft wrote:
> A bit late, but one quick question - will this also then work with
> andWhere and if? For instance can I do this with the markers?
The marker replacement is done in .select properties, not in stdWrap!
> select.andWhere.cObject.10 = TEXT
> select.andWhere.cObject.10.dataWrap = (jtitle LIKE '%###ser###%' OR jdes
> LIKE '%###ser###%' OR jpspec LIKE '%###ser###%'')
These markers will end up in the andWhere after the stdWrap has done its
magic, so you could use them here.
Another problem in your construction: the values represented by the
markers are properly escaped/quoted, so if ###ser### represents a string
value, you'll end up with jtitle LIKE '%'servalue'%' ...
It would be better to use jtitle LIKE ###ser###
and use markers.ser.wrap = %|%
> select.andWhere.cObject.10.if.isTrue = ###ser###
This will be processed by stdWrap before the markers are handled, so use
the value/field which should go into ###ser### here.
If you need more information/examples, please move this to for example
the dev list (core list gets a bit cluttered this way)
--
Jigal van Hemert
skype:jigal.van.hemert
msn: jigal at xs4all.nl
http://twitter.com/jigalvh
More information about the TYPO3-team-core
mailing list