[TYPO3-core] RFC #13940 Preventing SQL injections in CONTENT object

Jigal van Hemert jigal at xs4all.nl
Mon Mar 29 11:02:18 CEST 2010


Hi,

This is an SVN patch request.

Type: feature

Bugtracker references:
http://bugs.typo3.org/view.php?id=13940

Branches:
trunk

Problem: select.andWhere supports stdWrap, which makes SQL injection 
problems possible.
Lots of people like to have stdWrap support for other properties of 
'select' too, but this would lead to more SQL injection holes.

Solution:
- all properties of 'select' support the use of markers
- the markers are defined in a separate 'markers' property and properly 
esacaped/quoted before injecting the values
- mark 'andWhere' as deprecated (stdWrap support for WHERE clause is now 
implemented by the use of markers)

(I only made a patch for trunk, but upon approval I will port this to 
4.3, 4.2, ... )

-- 
Jigal van Hemert.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 13940_trunk.diff
URL: <http://lists.typo3.org/pipermail/typo3-team-core/attachments/20100329/ff6b0d9d/attachment.asc>


More information about the TYPO3-team-core mailing list