[TYPO3-core] RFC #13940 Preventing SQL injections in CONTENT object
Martin Holtz
typo3 at martinholtz.de
Mon Mar 29 21:19:10 CEST 2010
Hi,
> Solution:
> - all properties of 'select' support the use of markers
> - the markers are defined in a separate 'markers' property and properly
> esacaped/quoted before injecting the values
> - mark 'andWhere' as deprecated (stdWrap support for WHERE clause is now
> implemented by the use of markers)
I think it is good to provide a solution to build secure SQL without the
need for an own userfunc, but i totally disagree with marking andWhere as
deprecated.
Why not just add andWhere to the list of supported markers? The admins and
developers which are able to write TypoScript which provides SQL-Injections
would be aware of the possiblity to use the markers. The others will use an
extension for adding SQL-Injections;)
To make it clear: Admin and Developers are responsible for their code, so
don't break existing code without need. Add the marker solution to andWhere,
add stdWrap to where and everything would be fine.
How could such simple statement be implemented without stdWrap?
andWhere.cObject = COA
andWhere.cObject {
10 = TEXT
10.value = AND title = ###title###
10.if.isTrue.data = GP:title
20 = TEXT
20.value = AND name = ###name###
20.if.isTrue.data = GP:name
30 = TEXT
30.value = AND whatever = ###whatever###
30.if.isTrue.data = GP:whatever
}
regards,
martin
More information about the TYPO3-team-core
mailing list