[TYPO3-core] RFC #13940 Preventing SQL injections in CONTENT object
Jigal van Hemert
jigal at xs4all.nl
Mon Mar 29 11:02:18 CEST 2010
Hi,
This is an SVN patch request.
Type: feature
Bugtracker references:
http://bugs.typo3.org/view.php?id=13940
Branches:
trunk
Problem: select.andWhere supports stdWrap, which makes SQL injection
problems possible.
Lots of people like to have stdWrap support for other properties of
'select' too, but this would lead to more SQL injection holes.
Solution:
- all properties of 'select' support the use of markers
- the markers are defined in a separate 'markers' property and properly
esacaped/quoted before injecting the values
- mark 'andWhere' as deprecated (stdWrap support for WHERE clause is now
implemented by the use of markers)
(I only made a patch for trunk, but upon approval I will port this to
4.3, 4.2, ... )
--
Jigal van Hemert.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 13940_trunk.diff
URL: <http://lists.typo3.org/pipermail/typo3-team-core/attachments/20100329/ff6b0d9d/attachment.asc>
More information about the TYPO3-team-core
mailing list