Feature #17881
closed
Enable stdWrap for select.where
Added by Oliver Hader over 16 years ago. Updated almost 11 years ago.
100%
Description
stdWrap is not possible for select.where.
Example:
10 = CONTENT
10 {
table = tt_content
select.where.data = register:colPos
select.where.wrap = colPos=|
}
(issue imported from #M6882)
Files
| 0006882.patch (580 Bytes) 0006882.patch | Administrator Admin, 2007-12-03 18:54 | ||
| v43_0006882.patch (1.06 KB) v43_0006882.patch | Administrator Admin, 2009-09-28 22:42 |
Updated by Ronald Steiner over 15 years ago
Seems still not to be included in Typo3 Version 4.2.1
or is there a work around, how to solve the above example without stdWrap?
Updated by Ralf Hettinger over 15 years ago
workaround: select.andWhere has stdWrap property
Updated by Martin Holtz about 15 years ago
just for notice, that feature would make it possible to write sql-statements in this way:
select.where.cObject = COA
select.where.cObject {
10 = TEXT
10.value = colPos={field:colPos}
20 = TEXT
20.value = AND pid IN ({field:pages})
stdWrap.insertData = 1
}
Updated by Sebastian Michaelsen over 14 years ago
Added a patch for current 4.3 trunk and with warning comments to avoid using GPvars to avoid SQL-Injections
Updated by Oliver Hader over 14 years ago
Thanks Sebastian! However, who is looking into the source code while typing TypoScript? The proper place would be TSref - but then it's still possible to produce insecure settings...
Updated by Martin Holtz over 14 years ago
well, it is possible to produce SQL-Injections right now - use andWhere.stdWrap for proper SQL Injection vulerability;)
perhaps it would make sense to integrate
fullQuoteStr as an stdWrap option - than you would not need an userFunction for that
Updated by Martin Holtz over 14 years ago
ok, i opened a ticket for that: #21169
Updated by Marc Bastian Heinrichs about 13 years ago
Could this be closed because of the markers concept in #22338?
Updated by Chris topher about 13 years ago
I just wanted to ask the same which Bastian already asked above:
Is this done with #22338?
Updated by Xavier Perseguers almost 13 years ago
- Category deleted (
Communication) - Status changed from Accepted to Needs Feedback
- Target version changed from 4.6.0 to 4.6.0-beta1
Updated by Stefan Neufeind almost 13 years ago
Function-wise it cann all be done with markers (#22338), I agree. But having andWhere with stdWrap-support but not where sounds unlogic to me. Markers are imho a "heavy" way to solve even just small problems where somebody might just want to do something simple with an ID or typeNum he got from somewhere it (not GPvar). I like the idea of having where also support stdWrap "to have it clean".
(If there are strong objectionions, then those people please file another proposal to deprecate andWhere-stdWrap-support :-))
Updated by Mr. Hudson almost 13 years ago
Patch set 1 of change I22c0e2c1c49fdd44ab67b823043a2e07f304e8c8 has been pushed to the review server.
It is available at http://review.typo3.org/3337
Updated by Mr. Hudson almost 13 years ago
Patch set 2 of change I22c0e2c1c49fdd44ab67b823043a2e07f304e8c8 has been pushed to the review server.
It is available at http://review.typo3.org/3337
Updated by Mr. Hudson almost 13 years ago
Patch set 3 of change I22c0e2c1c49fdd44ab67b823043a2e07f304e8c8 has been pushed to the review server.
It is available at http://review.typo3.org/3337
Updated by Stefan Neufeind almost 13 years ago
- Status changed from Needs Feedback to Resolved
- % Done changed from 0 to 100
Applied in changeset bc5c229aa55fb9cb403c050e3f78739b214eb51f.
Updated by Chris topher almost 13 years ago
The documentation has been added to the wiki.
Updated by Xavier Perseguers about 12 years ago
- Status changed from Resolved to Closed
Updated by Ernesto Baschny almost 11 years ago
- Target version deleted (
4.6.0-beta1)