Feature #21169
closed
add fullQuoteStr to stdWrap
0%
Description
(afaik) at the moment you need a userFunc to sanitze a value to be sql-injection save
- Example: sql-injection possible
1 = CONTENT
1.table = tt_content
1.select {
pidInList = this
orderBy = sorting
andWhere.cObject = TEXT
andWhere.data = GPvar:parameter
andWhere.wrap = title = '|'
}
- how it could be:
1 = CONTENT
1.table = tt_content
1.select {
pidInList = this
orderBy = sorting
andWhere.cObject = TEXT
andWhere.data = GPvar:parameter # define table name for fullQuoteStr
andWhere.fullQuoteStr = tt_content
andWhere.wrap = title = '|'
}
(issue imported from #M12094)
Files
Updated by Martin Holtz over 14 years ago
there is an error in 0012094.patch - so i just uploaded 0012094_v2.patch
add ¶meter=te'st
page = PAGE
page.5 = TEXT
page.5.data = GPvar:parameter
page.5.wrap = <h2>|</h2>
page.6 = TEXT
page.6.data = GPvar:parameter
page.6.wrap = <h2>|</h2>
page.6.fullQuoteStr = tt_content
Updated by Martin Holtz over 14 years ago
just uploaded enhanced patch from Bastian Waidelich
patch works:)
Updated by Steffen Müller over 14 years ago
v3 ships two options: quoteStr and fullQuoteStr
Usecases are demonstrated in the following two examples:
- 1) quoteStr
page = PAGE
page.10 = CONTENT
page.10 {
table = tt_content
select {
andWhere.cObject = TEXT
andWhere.cObject {
data = GPvar:parameter
quoteStr = tt_content
wrap = header LIKE "|%"
}
}
}
- 2) fullQuoteStr
page.20 = CONTENT
page.20 {
table = tt_content
select {
andWhere.cObject = TEXT
andWhere.cObject {
data = GPvar:parameter
fullQuoteStr = tt_content
wrap = header=|
}
}
}
Updated by Steffen Müller over 14 years ago
I have added an extension which provides the two functions for 4.2. It also works with 4.3 in case the patch will not make it into 4.3
Updated by Steffen Müller over 14 years ago
The extension and the corresponding manual can now be found in TER:
http://typo3.org/extensions/repository/view/sm_stdwrapquote/current/
Updated by Xavier Perseguers over 14 years ago
Hi,
Without testing, I guess your first example with quoteStr will fail when using DBAL and having an Oracle database. I'm pretty sure it will lead to same bug as #12721.
I guess solution would be not to use quoteStr() at all, only rely on fullQuoteStr() and "construct" the
header LIKE "|%"
either with toying with all available wrap's or with COA.
Updated by Steffen Müller over 14 years ago
I don't have Oracle. Would you be so kind and test this?
The first example could be replaced by this:
page.10 = CONTENT
page.10 {
table = tt_content
select {
andWhere.cObject = TEXT
andWhere.cObject {
value = {GPvar:parameter}
insertData = 1
fullQuoteStr = tt_content
noTrimWrap = |header LIKE ||
}
}
}
Although it works fine, it looks a bit ugly.
There still might be some case where quoteStr is needed. Does anyone know a useful example?
Updated by Martin Holtz over 14 years ago
well, IMHO it should not hurt to have the possibility to use quoteStr.
Updated by Martin Holtz about 14 years ago
Updated by Steffen Gebert about 14 years ago
"With #22338 it is possible to use markers which are processed via fullQuoteStr." --> closed