typo3 sql注入保护

Question

is there any sql injection protection in typo framework? Or I have to take care by myself of building a query?

I found prepare_SELECTqueryArray, but there is no example how it should look. My TYPO3 version is 4.7. And this prepare_SELECTqueryArray I found on site with TYPO3 v.6.1.

Answer 1

Prepared Statements are available at least in TYPO3 4.5 as you can see here [1] and [2]

A Prepared query could look like this

$preparedQuery = $this->link->prepare_SELECTquery('fieldblob,fieldblub', $table, 'id=:id', '', '', '', array(':id' => 1));
$preparedQuery->execute();
$result = $preparedQuery->fetch();

or

$preparedQuery = $this->link->prepare_SELECTquery('fieldblob,fieldblub', $table, 'id=:id'); 
$preparedQuery->bindValues(array(':id' => 1));
$preparedQuery->execute();
$result = $preparedQuery->fetch();

[1] https://github.com/TYPO3/TYPO3.CMS/blob/TYPO3_4-5/t3lib/class.t3lib_db.php

[2] https://github.com/TYPO3/TYPO3.CMS/blob/TYPO3_4-5/t3lib/db/class.t3lib_db_preparedstatement.php

Answer 2

On many places values are quoted automatically. Within the prepare_* functions, all parameters are quoted by default.

If you use exec_* querys, you need to escape values in where part on your own. Use $GLOBALS['TYPO3_DB']->fullQuoteStr($value, $tablename) for that.

Be aware, that you can create SQL-Injections with TypoScript too. If you use CONTENT-Object you can insert GET/POST Data into the where-clause. Use intval or select.markers for creating SQL-Injection save querys.