Hi,
On 23-5-2011 12:19, horace grant wrote:
i have extended the search function of tt_news with the searchwhere hook.
do i have to do anything special to prevent sql injections or will the
where string be sanitized afterwards anyway?
If you have used
$GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['tt_news']['selectConfHook'] to
change the select configuration you have to take care of possible sql
injections yourself.
For integer values you can simply use intval() to make sure it's an
integer. For strings you can use
$GLOBALS['TYPO3_DB']->fullQuoteStr($value, <table_name>);
$GLOBALS['TYPO3_DB']->escapeStrForLike($value, <table_name>);
(see class t3lib_DB in t3lib/class.t3lib_db.php)
--
Kind regards / met vriendelijke groet,
Jigal van Hemert.
_______________________________________________
TYPO3-english mailing list
TYPO3-english@lists.typo3.org
http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-english
