Typo3 v4.5.30会自动转义字符串吗?
[英]does Typo3 v4.5.30 auto escape strings?
问题描述
I am trying to debug an issue (not my own code) with strings getting escaped and re-escaped repeatedly as the item is resaved. 
我正在尝试调试一个问题(不是我自己的代码),因为在重新保存该项目时,字符串会多次转义并重新转义。
The code uses mysql_real_escape_string but even though magic quotes are turned off the post variables are already quoted when my action is called and so the call to mysql_real_escape_string doubles up the quotes. 该代码使用mysql_real_escape_string,但是即使关闭了魔术引号,在调用我的操作时,发布变量也已被引号,因此对mysql_real_escape_string的调用将引号加倍。 and then every time the item is resaved more and more slashes pile up. 然后每次重新保存物品时,斜线就会越来越多。
So I need to make sure the item is escaped (once) before going to the database but then un-escaped when displayed on the page. 因此,在进入数据库之前,我需要确保该项目已被转义(一次),但在页面上显示时却未转义。
My action begins like so: 我的动作开始如下:
public function adminAction() {
$prizes = $_POST['tx_xxx_bingofrontend']['prize'];
//at this point my prize[] elements are already quoted, why?
foreach ($prizes as $key => $prize) {
foreach ($prize as $field => $value) {
// echo "Magic quotes is " . (get_magic_quotes_gpc() ? "ON" : "OFF");
// echo strip_tags($value) ;die;
// OFF gets printed
$cleanedValues[$field] = mysql_real_escape_string(strip_tags($value));
}
.... more code
I am using typo3 v4.5.30 , is there a typo3 setting or possibly an extension api call made somewhere that calls does the escaping before my action code fires? 我正在使用typo3 v4.5.30,是否在我的操作代码触发前在某个地方进行了错字转义设置或可能进行了扩展api调用?
How can I make sure the strings get displayed properly and resaved properly? 如何确保正确显示字符串并正确保存字符串?
Thanks! 谢谢!
UPDATE: I now have this code: 更新:我现在有以下代码:
public function adminAction() {
$postsvars = t3lib_div::_POST();
$prizes = $postsvars['tx_xxx_xxfrontend']['prize'];
foreach ($prizes as $key => $prize) {
foreach ($prize as $field => $value) {
//echo "Magic quotes is " . (get_magic_quotes_gpc() ? "ON" : "OFF");
// echo strip_tags($value) ;die;
$cleanedValues[$field] = $GLOBALS['TYPO3_DB']->quoteStr(strip_tags($value),'tx_xxx_domain_model_prize' );
which runs before each before update and create and it properly adds the slashes ( I'm not sure how it uses my tablename in the call but it seems to work so ok). 它在每次更新和创建之前运行,并正确添加了斜杠(我不确定它如何在调用中使用我的表名,但似乎正常。) But when I read stuff up and remove the slashes to display like so in my model: 但是,当我读起东西并删除斜线以在模型中显示时,如下所示:
public function UnEscapePrize( ){
$this->setTitle(stripslashes( $this->getTitle()));
..... other vars get un-escaped
}
the removal of slashes gets saved into the database which is not what I want. 斜杠的删除将保存到数据库中,这不是我想要的。 I just want to remove them for the view. 我只想删除它们以进行查看。 How can I do so? 我该怎么办?
UPDATE 2 : or am I worried over nothing? 更新2:还是我什么都不担心? is typo3 4.5.3/extbase 1.3 susceptible to sql injection attacks when using the default update and add methods? 使用默认更新和添加方法时,typo3 4.5.3 / extbase 1.3是否容易受到sql注入攻击? If it uses string concat to piece together sql then it may be but if it uses prepared statement it isn't. 如果使用字符串concat将sql拼凑在一起,则可能是,但是如果使用prepared语句,则不是。 I come from a place that still used alot of string concat sql so this worry is just second nature to me. 我来自仍然使用大量字符串concat sql的地方,所以这种担心对我来说只是第二自然。
1 个解决方案
解决方案1
1 已采纳 2013-11-22 09:06:06
TYPO3 auto-escapes POST variables, this is correct. TYPO3自动转义POST变量,这是正确的。
The proper way to access them in typo3 is t3lib_div::_POST($name) , which will give you them unescaped. 在typo3中访问它们的正确方法是t3lib_div::_POST($name) ,它将使您不被转义。
See the documentation . 请参阅文档 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.