Extension Development, Security Guidelines
From TYPO3Wiki
Contents |
[edit] Measures against SQL-Injections in Form-Fields
[edit] PHP
addslashes(string str) addslashes
[edit] TYPO3
1. $GLOBALS[TYPO3_DB]->quoteStr(string str, string $table)
Substitution for PHP function "addslashes()" Use this function instead of the PHP addslashes() function when you build queries - this will prepare your code for DBAL. NOTICE: You must wrap the output of this function in SINGLE QUOTES to be DBAL compatible. Unless you have to apply the single quotes yourself you should rather use ->fullQuoteStr()!
Example: <php>
if ($this->piVars['searchword']) {
$query .= ' AND tx_extensiontable.title LIKE \'%'.$GLOBALS['TYPO3_DB']->quoteStr($this->piVars['searchword'],'tx_extensiontable').'%\;
}
</php>
Result: <php>
AND tx_extensiontable.title LIKE '%Is your name really O\'reilly?%'
</php>
2. $GLOBALS[TYPO3_DB]->fullQuoteStr(string str, string $table)
Example: <php>
if ($this->piVars['searchword']) {
$query .= ' AND tx_extensiontable.title LIKE '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->piVars['searchword'],'tx_extensiontable');
}
</php>
Result: <php>
AND tx_extensiontable.title LIKE 'Is your name really O\'reilly?'
</php>
[edit] Measures against Cross Site Scripting (XSS)
All input from the user should be escaped using htmlspecialchars(), before being outputted.
--Chibox 15:32, 12 February 2008 (CET)
