Extension Development, Security Guidelines

From TYPO3Wiki

Contents 1 Measures against SQL-Injections in Form-Fields 2 PHP 3 TYPO3 3.1 Measures against Cross Site Scripting (XSS)

Measures against SQL-Injections in Form-Fields

PHP

addslashes(string str) addslashes

TYPO3

1. $GLOBALS[TYPO3_DB]->quoteStr(string str, string $table)

Substitution for PHP function "addslashes()" Use this function instead of the PHP addslashes() function when you build queries - this will prepare your code for DBAL. NOTICE: You must wrap the output of this function in SINGLE QUOTES to be DBAL compatible. Unless you have to apply the single quotes yourself you should rather use ->fullQuoteStr()!

Example:

<PHP> :

 
 if ($this->piVars['searchword']) {
  $query .= ' AND tx_extensiontable.title LIKE \'%'.$GLOBALS['TYPO3_DB']->quoteStr($this->piVars['searchword'],'tx_extensiontable').'%\'';
 }
 

Result:

<PHP> :

 
 AND tx_extensiontable.title LIKE '%Is your name really O\'reilly?%'
 

2. $GLOBALS[TYPO3_DB]->fullQuoteStr(string str, string $table)

Example:

<PHP> :

 
 if ($this->piVars['searchword']) {
  $query .= ' AND tx_extensiontable.title LIKE '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->piVars['searchword'],'tx_extensiontable');
 }
 

Result:

<PHP> :

 
 AND tx_extensiontable.title LIKE 'Is your name really O\'reilly?'
 

Measures against Cross Site Scripting (XSS)

All input from the user should be escaped using htmlspecialchars(), before being outputted.

--Chibox 15:32, 12 February 2008 (CET)