[TYPO3-core] RFC #16486: bug: BE livesearch results in errors when DBAL is installed
Helmut Hummel
helmut at typo3.org
Sat Nov 20 14:14:28 CET 2010
Hi,
sorry for the slight off topic here, but ...
On 19.11.10 22:48, Jigal van Hemert wrote:
> $queryLikeStatement = ' LIKE \'%' . $this->getQueryString($tableName) . '%\'';
> public function getQueryString($tableName = '') {
> return $GLOBALS['TYPO3_DB']->quoteStr($this->queryString, $tableName);
> }
... when looking at this, I ask myself two things:
1. Why isn't the query string prepared for the LIKE query
(escapeStringforLike) but only quoteStr is used?
2. Is there a check done, if the current user has access to the records
shown in the live results (I didn't check that myself)?
Regards Helmut
More information about the TYPO3-team-core
mailing list