[TYPO3-core] RFC #16486: bug: BE livesearch results in errors when DBAL is installed
Marcus Krause
marcus#exp2010 at t3sec.info
Mon Nov 22 13:05:04 CET 2010
hi!
Reminder!
Helmut Hummel schrieb am 11/20/2010 02:14 PM Uhr:
> Hi,
>
> sorry for the slight off topic here, but ...
>
> On 19.11.10 22:48, Jigal van Hemert wrote:
>> $queryLikeStatement = ' LIKE \'%' . $this->getQueryString($tableName) . '%\'';
>> public function getQueryString($tableName = '') {
>> return $GLOBALS['TYPO3_DB']->quoteStr($this->queryString, $tableName);
>> }
>
> ... when looking at this, I ask myself two things:
>
> 1. Why isn't the query string prepared for the LIKE query
> (escapeStringforLike) but only quoteStr is used?
t3lib_db::escapeStrForLike() is indeed missing
> 2. Is there a check done, if the current user has access to the records
> shown in the live results (I didn't check that myself)?
Access restrictions/permissions are considered. (tested)
Marcus.
More information about the TYPO3-team-core
mailing list