stackoom
  简体   繁体   中英

does Typo3 v4.5.30 auto escape strings?

 原文  2013-11-21 17:20:01       typo3/ mysql-real-escape-string/ extbase/ magic-quotes-gpc

Question

I am trying to debug an issue (not my own code) with strings getting escaped and re-escaped repeatedly as the item is resaved.

The code uses mysql_real_escape_string but even though magic quotes are turned off the post variables are already quoted when my action is called and so the call to mysql_real_escape_string doubles up the quotes. and then every time the item is resaved more and more slashes pile up.

So I need to make sure the item is escaped (once) before going to the database but then un-escaped when displayed on the page.

My action begins like so: 

 public function adminAction() {
    $prizes = $_POST['tx_xxx_bingofrontend']['prize'];
    //at this point my prize[] elements are already quoted, why?
    foreach ($prizes as $key => $prize) {
        foreach ($prize as $field => $value) {
            // echo "Magic quotes is " . (get_magic_quotes_gpc() ? "ON" : "OFF");
            // echo strip_tags($value) ;die;
            // OFF gets printed
            $cleanedValues[$field] = mysql_real_escape_string(strip_tags($value));
        }
.... more code

I am using typo3 v4.5.30 , is there a typo3 setting or possibly an extension api call made somewhere that calls does the escaping before my action code fires?

How can I make sure the strings get displayed properly and resaved properly?

Thanks!

UPDATE: I now have this code: 

 public function adminAction() {
        $postsvars =  t3lib_div::_POST();
        $prizes = $postsvars['tx_xxx_xxfrontend']['prize'];


        foreach ($prizes as $key => $prize) {
            foreach ($prize as $field => $value) {
                //echo "Magic quotes is " . (get_magic_quotes_gpc() ? "ON" : "OFF");
               // echo strip_tags($value) ;die;
                $cleanedValues[$field] =   $GLOBALS['TYPO3_DB']->quoteStr(strip_tags($value),'tx_xxx_domain_model_prize' );

which runs before each before update and create and it properly adds the slashes ( I'm not sure how it uses my tablename in the call but it seems to work so ok). But when I read stuff up and remove the slashes to display like so in my model: 

public function UnEscapePrize( ){
               $this->setTitle(stripslashes( $this->getTitle()));
               ..... other vars get un-escaped
  }

the removal of slashes gets saved into the database which is not what I want. I just want to remove them for the view. How can I do so?

UPDATE 2 : or am I worried over nothing? is typo3 4.5.3/extbase 1.3 susceptible to sql injection attacks when using the default update and add methods? If it uses string concat to piece together sql then it may be but if it uses prepared statement it isn't. I come from a place that still used alot of string concat sql so this worry is just second nature to me.

1 answers

solution1
 1 ACCPTED  2013-11-22 09:06:06

TYPO3 auto-escapes POST variables, this is correct.

The proper way to access them in typo3 is t3lib_div::_POST($name) , which will give you them unescaped.

See the documentation .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question how to: findByProperty on two fields in typo3 v4.5.30? how to : specify a default action for a TYPO3 v4.5.30 extbase extension? Tx_Extbase_Domain_Repository_FrontendUserRepository->findAll() not working in typo3 4.5.30? TYPO3 v9 Scheduler does not persist the data How to escape an ampersand in TypoScript/TYPO3? TYPO3 Fluid: escape array key TYPO3 Escape Fluid ViewHelper object properties typo3scan: path typo3/cms-scanner/config/Matcher/v8 does not exist Typo3 Database update from typo3 v7.6 to typo3 v11.53 Is the TYPO3 Site Kickstarter broken in TYPO3 v7.6
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM