[TYPO3-core] RFC #13940 Preventing SQL injections in CONTENT object

Jigal van Hemert jigal at xs4all.nl
Tue Mar 30 11:23:45 CEST 2010


Martin Holtz wrote:
> I think it is good to provide a solution to build secure SQL without the 
> need for an own userfunc, but i totally disagree with marking andWhere as 
> deprecated.

andWhere's only purpose must have been to supply a property with stdWrap 
support. This introduced the SQL injection problems.
Anyhow, without deprecating this property we only provide a mechanism to 
bypass SQL injection problems, but still leave the route open to 
introduce your own SQL injection security problem.

> Why not just add andWhere to the list of supported markers? 

Marker handling is only provided for the (string) value part of each 
property. It's not used in stdWrap, simply because it's specific for 
safely injecting values in queries. So your example below with markers 
in properties of a TEXT object won't work that way.

> To make it clear: Admin and Developers are responsible for their code, so 
> don't break existing code without need. 

Maybe they are legally responsible, but if a major website you made was 
hacked the news messages about it would not say that a Martin Holtz 
website was hacked, but that a TYPO3 website was hacked.

And when a client complains to the developer of the site, that developer 
may very likely claim that there is a bug in TYPO3 which caused this. He 
can point to several bug reports which are not solved and can claim that 
"TYPO3" knew about the problem and did not fix it. So much for 
responsibility...

> Add the marker solution to andWhere, 
> add stdWrap to where and everything would be fine.

Adding stdWrap to 'where' is superfluous, because andWhere already has 
stdWrap. Adding the marker solution to andWhere is no problem, but is 
pointless because you can use 'where' with markers.
If adding andWhere to the list of fields which support the markers makes 
the patch acceptable then that is no problem for me :-)

> How could such simple statement be implemented without stdWrap?
> 
> andWhere.cObject = COA
> andWhere.cObject {
>    10 = TEXT
>    10.value = AND title = ###title###
>    10.if.isTrue.data = GP:title
>    20 = TEXT
>    20.value = AND name = ###name###
>    20.if.isTrue.data = GP:name
>    30 = TEXT
>    30.value = AND whatever = ###whatever###
>    30.if.isTrue.data = GP:whatever
> }

This is an example of a dynamically constructed query. In fact you're 
building three different queries and this could also be a solution: 
build a COA of CONTENT elements, make 2 and 3 copies of the first and 
only change the andWhere/where parts.
Fortunately there almost always 2-3 ways to do something similar

-- 
Jigal van Hemert.


More information about the TYPO3-team-core mailing list