News-Feeds:
Correct usage of TYPO3 database API
Check your own code for correct usage of TYPO3 database API in LIKE comparisons!
The TYPO3 Security Team has become aware that a lot of TYPO3 extensions listed in TER use TYPO3 database API (class t3lib_db) in a wrong way. In detail, we often see a wrong order of escape and quote method calls for LIKE comparisons.
Some Background:
LIKE database queries allow to use wildcard characters (in MySQL "_" for one single character and "%" for none or multiple times of a character). When you construct LIKE queries, you normally decide where to put a wildcard. Then, this requires you to escape possible wildcard characters in user supplied input. TYPO3 database API provides dedicated methods for escaping and quoting (t3lib_db::escapeStrForLike(), t3lib_db::quoteStr() / t3lib_db::fullQuoteStr()).
The correct order of method calls is important. User input has to be quoted first and afterwards possibly existing wildcard characters escaped - not the other way around! A wrong order might cause wildcard characters not to be correctly escaped and data shown to a user which is not intented to be displayed!
Following is example code for the WHERE part of a database query:
- WRONG: "1 AND foo LIKE '" . $GLOBALS['TYPO3_DB']->quoteStr( $GLOBALS['TYPO3_DB']->escapeStrForLike($bar, 'tx_table'), 'tx_table') . "%'";
- CORRECT: "1 AND foo LIKE '" . $GLOBALS['TYPO3_DB']->escapeStrForLike( $GLOBALS['TYPO3_DB']->quoteStr($bar, 'tx_table'), 'tx_table') . "%'";
So please check your code for the correct order of these method calls!
comments
No comments yet. Be the first to comment on this!
Buzz is the official blog resource of the TYPO3 project. You can be part of Buzz too. If you want to blog about the achievements of your team or your personal involvement please check out our HELP section.