[TYPO3-core] RFC #13940 Preventing SQL injections in CONTENT object

Tue Mar 30 12:50:10 CEST 2010

Hi Jigal,

>> I think it is good to provide a solution to build secure SQL without
>> the need for an own userfunc, but i totally disagree with marking
>> andWhere as deprecated.
> 
> andWhere's only purpose must have been to supply a property with stdWrap
> support. This introduced the SQL injection problems.

SQL injections are possible, like in every extension. But if you use an
extension you are able to use a function to sanitize your input. That is
the problem!

There is another big security hole:

10 = TEXT
10.data = GP:badInput
10.wrap = <p>Your Input:|</p>

But it is easy to make that secure! Use htmlSpecialChars = 1 and you
will be fine.

>> Why not just add andWhere to the list of supported markers? 
> 
> Marker handling is only provided for the (string) value part of each
> property. It's not used in stdWrap, simply because it's specific for
> safely injecting values in queries. So your example below with markers
> in properties of a TEXT object won't work that way.
it should be possible to replace the markers after processing stdWrap,
so for
?id=123&title=hello
andWhere would be " AND title = ###title###". Then it is possible to
replace the markers.

>> To make it clear: Admin and Developers are responsible for their code,
>> so don't break existing code without need. 
> 
> Maybe they are legally responsible, but if a major website you made was
> hacked the news messages about it would not say that a Martin Holtz
> website was hacked, but that a TYPO3 website was hacked.
Well, so we should disable the extension manager? That is much more
insecure, because without knowing TYPO3 every php-coder is able to put
his ugly code into. I do not think, that there are much people around
who are not able to code PHP but would write SQL-Statements with typoscript.

>> Add the marker solution to andWhere, add stdWrap to where and
>> everything would be fine.
> 
> Adding stdWrap to 'where' is superfluous, because andWhere already has
> stdWrap. Adding the marker solution to andWhere is no problem, but is
> pointless because you can use 'where' with markers.
Did you ever explained that to someone who is new to TYPO3? "Well, if
you want to use stdWrap, just use andWhere instead of where." It is
possible to explain, but it does not make TypoScript easier.

> If adding andWhere to the list of fields which support the markers makes
> the patch acceptable then that is no problem for me :-)
great! Yes please:)

Well, i would like to have stdWrap at where as well, because it would
not make sense to have it only at andWhere... but i will be quite now,
as i do not want to stop your patch:)

> 
>> How could such simple statement be implemented without stdWrap?
>>
>> andWhere.cObject = COA
>> andWhere.cObject {
>>    10 = TEXT
>>    10.value = AND title = ###title###
>>    10.if.isTrue.data = GP:title
>>    20 = TEXT
>>    20.value = AND name = ###name###
>>    20.if.isTrue.data = GP:name
>>    30 = TEXT
>>    30.value = AND whatever = ###whatever###
>>    30.if.isTrue.data = GP:whatever
>> }
> 
> This is an example of a dynamically constructed query. In fact you're
> building three different queries and this could also be a solution:
> build a COA of CONTENT elements, make 2 and 3 copies of the first and
> only change the andWhere/where parts.

you would need some more copies, if only title is true, if title and
name is true, if name and whatever is true, if ...
And it will be fun, if you get some more fields to check;)

so, i will test your patch at the weekend, thanks a lot!

martin