Feature #21169
closed
add fullQuoteStr to stdWrap
Added by Martin Holtz over 14 years ago.
Updated almost 14 years ago.
Description
(afaik) at the moment you need a userFunc to sanitze a value to be sql-injection save
- Example: sql-injection possible
1 = CONTENT
1.table = tt_content
1.select {
pidInList = this
orderBy = sorting
andWhere.cObject = TEXT
andWhere.data = GPvar:parameter
andWhere.wrap = title = '|'
}
- how it could be:
1 = CONTENT
1.table = tt_content
1.select {
pidInList = this
orderBy = sorting
andWhere.cObject = TEXT
andWhere.data = GPvar:parameter
# define table name for fullQuoteStr
andWhere.fullQuoteStr = tt_content
andWhere.wrap = title = '|'
}
(issue imported from #M12094)
Files
there is an error in 0012094.patch - so i just uploaded 0012094_v2.patch
add ¶meter=te'st
page = PAGE
page.5 = TEXT
page.5.data = GPvar:parameter
page.5.wrap = <h2>|</h2>
page.6 = TEXT
page.6.data = GPvar:parameter
page.6.wrap = <h2>|</h2>
page.6.fullQuoteStr = tt_content
just uploaded enhanced patch from Bastian Waidelich
patch works:)
v3 ships two options: quoteStr and fullQuoteStr
Usecases are demonstrated in the following two examples:
- 1) quoteStr
page = PAGE
page.10 = CONTENT
page.10 {
table = tt_content
select {
andWhere.cObject = TEXT
andWhere.cObject {
data = GPvar:parameter
quoteStr = tt_content
wrap = header LIKE "|%"
}
}
}
- 2) fullQuoteStr
page.20 = CONTENT
page.20 {
table = tt_content
select {
andWhere.cObject = TEXT
andWhere.cObject {
data = GPvar:parameter
fullQuoteStr = tt_content
wrap = header=|
}
}
}
I have added an extension which provides the two functions for 4.2. It also works with 4.3 in case the patch will not make it into 4.3
Hi,
Without testing, I guess your first example with quoteStr will fail when using DBAL and having an Oracle database. I'm pretty sure it will lead to same bug as #12721.
I guess solution would be not to use quoteStr() at all, only rely on fullQuoteStr() and "construct" the
header LIKE "|%"
either with toying with all available wrap's or with COA.
I don't have Oracle. Would you be so kind and test this?
The first example could be replaced by this:
page.10 = CONTENT
page.10 {
table = tt_content
select {
andWhere.cObject = TEXT
andWhere.cObject {
value = {GPvar:parameter}
insertData = 1
fullQuoteStr = tt_content
noTrimWrap = |header LIKE ||
}
}
}
Although it works fine, it looks a bit ugly.
There still might be some case where quoteStr is needed. Does anyone know a useful example?
well, IMHO it should not hurt to have the possibility to use quoteStr.
related to #22338
With #22338 it is possible to use markers which are processed via fullQuoteStr.
So this bug can be closed
"With #22338 it is possible to use markers which are processed via fullQuoteStr." --> closed
Also available in: Atom
PDF