[TYPO3-core] RFC #13940 Preventing SQL injections in CONTENT object

Martin Holtz typo3 at martinholtz.de
Mon Mar 29 21:19:10 CEST 2010


Hi,

> Solution:
> - all properties of 'select' support the use of markers
> - the markers are defined in a separate 'markers' property and properly
> esacaped/quoted before injecting the values
> - mark 'andWhere' as deprecated (stdWrap support for WHERE clause is now
> implemented by the use of markers)
I think it is good to provide a solution to build secure SQL without the 
need for an own userfunc, but i totally disagree with marking andWhere as 
deprecated.

Why not just add andWhere to the list of supported markers? The admins and 
developers which are able to write TypoScript which provides SQL-Injections 
would be aware of the possiblity to use the markers. The others will use an 
extension for adding SQL-Injections;)

To make it clear: Admin and Developers are responsible for their code, so 
don't break existing code without need. Add the marker solution to andWhere, 
add stdWrap to where and everything would be fine.

How could such simple statement be implemented without stdWrap?

andWhere.cObject = COA
andWhere.cObject {
   10 = TEXT
   10.value = AND title = ###title###
   10.if.isTrue.data = GP:title
   20 = TEXT
   20.value = AND name = ###name###
   20.if.isTrue.data = GP:name
   30 = TEXT
   30.value = AND whatever = ###whatever###
   30.if.isTrue.data = GP:whatever
}

regards,
martin


More information about the TYPO3-team-core mailing list