Feature #17881

Enable stdWrap for select.where

Added by Oliver Hader almost 12 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Should have
Assignee:
Category:
-
Target version:
-
Start date:
2007-12-03
Due date:
% Done:

100%

PHP Version:
4.3
Tags:
Complexity:
Sprint Focus:

Description

stdWrap is not possible for select.where.
Example:
10 = CONTENT
10 {
table = tt_content
select.where.data = register:colPos
select.where.wrap = colPos=|
}

(issue imported from #M6882)

0006882.patch View (580 Bytes) Administrator Admin, 2007-12-03 18:54

v43_0006882.patch View (1.06 KB) Administrator Admin, 2009-09-28 22:42


Related issues

Related to TYPO3 Core - Feature #22338: Added marker in CONTENT object Closed 2010-03-29
Related to TYPO3 Core - Feature #18822: Add stdWrap to each of the properties of TypoScript "select" Closed 2008-05-21

Associated revisions

Revision bc5c229a (diff)
Added by Stefan Neufeind over 8 years ago

[FEATURE] Enable stdWrap for select.where

stdWrap was supported at select.andWhere already.

Be careful not to use GPvar with this feature without
securing it (e.g. with stdWrap.intval)

Change-Id: I22c0e2c1c49fdd44ab67b823043a2e07f304e8c8
Resolves: #17881
Reviewed-on: http://review.typo3.org/3337
Reviewed-by: Susanne Moog
Tested-by: Susanne Moog

History

#1 Updated by Ronald Steiner over 11 years ago

Seems still not to be included in Typo3 Version 4.2.1

or is there a work around, how to solve the above example without stdWrap?

#2 Updated by Ralf Hettinger over 11 years ago

workaround: select.andWhere has stdWrap property

#3 Updated by Martin Holtz almost 11 years ago

just for notice, that feature would make it possible to write sql-statements in this way:

select.where.cObject = COA
select.where.cObject {
10 = TEXT
10.value = colPos={field:colPos}
20 = TEXT
20.value = AND pid IN ({field:pages})
stdWrap.insertData = 1
}

#4 Updated by Sebastian Michaelsen about 10 years ago

Added a patch for current 4.3 trunk and with warning comments to avoid using GPvars to avoid SQL-Injections

#5 Updated by Oliver Hader about 10 years ago

Thanks Sebastian! However, who is looking into the source code while typing TypoScript? The proper place would be TSref - but then it's still possible to produce insecure settings...

#6 Updated by Martin Holtz about 10 years ago

well, it is possible to produce SQL-Injections right now - use andWhere.stdWrap for proper SQL Injection vulerability;)

perhaps it would make sense to integrate
fullQuoteStr as an stdWrap option - than you would not need an userFunction for that

#7 Updated by Martin Holtz about 10 years ago

ok, i opened a ticket for that: #21169

#8 Updated by Marc Bastian Heinrichs over 8 years ago

Could this be closed because of the markers concept in #22338?

#9 Updated by Chris topher over 8 years ago

I just wanted to ask the same which Bastian already asked above:

Is this done with #22338?

#10 Updated by Xavier Perseguers over 8 years ago

  • Category deleted (Communication)
  • Status changed from Accepted to Needs Feedback
  • Target version changed from 4.6.0 to 4.6.0-beta1

#11 Updated by Stefan Neufeind over 8 years ago

Function-wise it cann all be done with markers (#22338), I agree. But having andWhere with stdWrap-support but not where sounds unlogic to me. Markers are imho a "heavy" way to solve even just small problems where somebody might just want to do something simple with an ID or typeNum he got from somewhere it (not GPvar). I like the idea of having where also support stdWrap "to have it clean".

(If there are strong objectionions, then those people please file another proposal to deprecate andWhere-stdWrap-support :-))

#12 Updated by Mr. Hudson over 8 years ago

Patch set 1 of change I22c0e2c1c49fdd44ab67b823043a2e07f304e8c8 has been pushed to the review server.
It is available at http://review.typo3.org/3337

#13 Updated by Mr. Hudson over 8 years ago

Patch set 2 of change I22c0e2c1c49fdd44ab67b823043a2e07f304e8c8 has been pushed to the review server.
It is available at http://review.typo3.org/3337

#14 Updated by Mr. Hudson over 8 years ago

Patch set 3 of change I22c0e2c1c49fdd44ab67b823043a2e07f304e8c8 has been pushed to the review server.
It is available at http://review.typo3.org/3337

#15 Updated by Stefan Neufeind over 8 years ago

  • Status changed from Needs Feedback to Resolved
  • % Done changed from 0 to 100

#16 Updated by Chris topher over 8 years ago

The documentation has been added to the wiki.

#17 Updated by Xavier Perseguers over 7 years ago

  • Status changed from Resolved to Closed

#18 Updated by Ernesto Baschny over 6 years ago

  • Target version deleted (4.6.0-beta1)

Also available in: Atom PDF