[TYPO3-core] RFC #13940 Preventing SQL injections in CONTENT object

Jigal van Hemert jigal at xs4all.nl
Tue Mar 30 21:49:32 CEST 2010


Attached version 2 with the following changes:
- NULL as a value for markers supported ('null' and 'NULL' also)
- markers are replaced in two places:
   1. properties which are converted to integers, etc. need replacement 
before they are processed in the query builder
   2. after the query parts are built the remaining markers are 
replaced; now the markers can be used inside stdWrap properties (thanks 
Martin for the idea)

Notes:
- numeric values are not inserted as quoted values, because comparison 
rules are different for quoted and unquoted values in MySQL. If needed 
DBAL will (have to) handle this for other DBMSs.

-- 
Jigal van Hemert.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 13940_trunk_v2.diff
URL: <http://lists.typo3.org/pipermail/typo3-team-core/attachments/20100330/65becc3a/attachment.txt>


More information about the TYPO3-team-core mailing list