[TYPO3-core] RFC #13940 Preventing SQL injections in CONTENT object
Jigal van Hemert
jigal at xs4all.nl
Tue Mar 30 21:49:32 CEST 2010
Attached version 2 with the following changes:
- NULL as a value for markers supported ('null' and 'NULL' also)
- markers are replaced in two places:
1. properties which are converted to integers, etc. need replacement
before they are processed in the query builder
2. after the query parts are built the remaining markers are
replaced; now the markers can be used inside stdWrap properties (thanks
Martin for the idea)
Notes:
- numeric values are not inserted as quoted values, because comparison
rules are different for quoted and unquoted values in MySQL. If needed
DBAL will (have to) handle this for other DBMSs.
--
Jigal van Hemert.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 13940_trunk_v2.diff
URL: <http://lists.typo3.org/pipermail/typo3-team-core/attachments/20100330/65becc3a/attachment.txt>
More information about the TYPO3-team-core
mailing list