[TYPO3-hci] BE vs FE
Bernhard Kraft
kraftb at kraftb.at
Mon Jul 31 23:45:31 CEST 2006
Waldemar Kornewald wrote:
>> there are many extension programmers which do not know about
>> SQL-injections and do not
>> properly escape values which are taken from GET or POST vars ...
>>
>> so when there would exist a table febe_users compared to fe_users and
>> be_users currently and
>> it would have a flag "is_beuser" and you would have an extension with
>> a statement like:
>> [...]
>> then he could easily become a BE user.
>
>
> Well, a role or group could do. Roles are in a different table and
> normally, an end-user accessible plugin won't manipulate roles. So,
> it's really strange why this separation was done. Would it be very
> difficult to revert this for V4.5? Our project really needs one single
> user DB and since the separation is unnecessary this should be
> removed, anyway.
It would only help if the group is assigned to the user via an n:m relation.
Else you could again write the comma separated list using an sql injection.
Currently group lists in TYPO3 are comma separated lists ... and changing that
is almost impossible ...
greets,
Bernhard
--
----------------------------------------------------------------------
"Freiheit ist immer auch die Freiheit des Andersdenkenden"
Rosa Luxemburg, 1871 - 1919
----------------------------------------------------------------------
[[ http://think-open.at | Open source company ]]
More information about the TYPO3-team-hci
mailing list