Hi,
after gratefully trying and exploring WFQBE,
I'm getting to the security issues as adressed by Mauro in the docu
http://docs.typo3.org/typo3cms/extensions/wfqbe/ExtDbIntegration/ImportantSecurityTopics/
Just to make sure, I got this right,
if I use an edit query with id 25, I only have to insert
plugin.tx_wfqbe_pi1.customQuery.25.WFQBE_PARAM.wfqbe.intval=1
in an ext-TS record on that page and that's it?
(Found it in the Config Manual as well: "customQuery.XXX.wfqbe.intval - Boolean
- This option should be used each time you get an integer value via GET or
POST. Using this option you can prevent SQL Injections")
Since I'm not an enlighted pro in MySQL and do not know how and when the POST
and GET parameters are exactly used, unfortunately, I do not feel too sure why
this helps to avoid SQL injections, but it does, does it? I felt like I could
use WFQBE safely without knowing how to hard code DB request, but if I am not
able to do it safely you will surely suggest me not to use it at all?
Also, before I come to the above mentioned edit page I have to be led there
from another one with these links:
plugin.tx_wfqbe_pi1.customProcess.16 {
# id detail-view anpassen
uid = COBJ_ARRAY
uid {
# This object is used to provide a link to edit the record
20 = TEXT
20.value = Eintrag bearbeiten
20.typolink = 1
# page-id where edit-query:
20.typolink.parameter = 19
20.typolink.additionalParams =
&tx_wfqbe_pi1[uid]=###WFQBE_FIELD_uid###&tx_wfqbe_pi1[wfqbe_editing_mode]=1
}
}
I do not have to clear anything here, do I?
How can I actually check whether the security fixing code does what it is
supposed to do?
Thank you for bringing some light into this!
Best regards,
*Eitel
_______________________________________________
TYPO3-english mailing list
[email protected]
http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-english
