Extension Development, Security Guidelines

Measures against SQL injection

Instead of the PHP function addslashes(), use t3lib_DB->quoteStr() to escape strings that are to be inserted in SQL statements (like table and field names etc.). This prevents SQL injection. NOTICE: You must wrap the output of this function in single quotes for DBAL compatibility. Unless you have to apply the single quotes yourself, you should rather use t3lib_DB->fullQuoteStr().

Example using t3lib_DB->quoteStr()

// $GLOBALS['TYPO3_DB']->quoteStr(string $string, string $table)

if ($this->piVars['searchword']) {
    $query .= ' AND tx_extensiontable.title LIKE \'%'.$GLOBALS['TYPO3_DB']->quoteStr($this->piVars['searchword'], 'tx_extensiontable').'%\;
}

Result:

AND tx_extensiontable.title LIKE '%Is your name really O\'reilly?%'

Example using t3lib_DB->fullQuoteStr()

// $GLOBALS['TYPO3_DB']->fullQuoteStr(string $string, string $table)

if ($this->piVars['searchword']) {
    $query .= ' AND tx_extensiontable.title LIKE '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->piVars['searchword'], 'tx_extensiontable');
}

Result:

AND tx_extensiontable.title LIKE 'Is your name really O\'reilly?'

Measures against Cross Site Scripting (XSS)

All input from users should be escaped using htmlspecialchars() before being output.