RSS 2.0
RSS 0.91
ATOM 0.3
October 8, 2010

Correct usage of TYPO3 database API

By: Marcus Krause

Check your own code for correct usage of TYPO3 database API in LIKE comparisons!

The TYPO3 Security Team has become aware that a lot of TYPO3 extensions listed in TER use TYPO3 database API (class t3lib_db) in a wrong way. In detail, we often see a wrong order of escape and quote method calls for LIKE comparisons.

Some Background:
LIKE database queries allow to use wildcard characters (in MySQL "_" for one single character and "%" for none or multiple times of a character). When you construct LIKE queries, you normally decide where to put a wildcard. Then, this requires you to escape possible wildcard characters in user supplied input. TYPO3 database API provides dedicated methods for escaping and quoting (t3lib_db::escapeStrForLike(), t3lib_db::quoteStr() / t3lib_db::fullQuoteStr()).

The correct order of method calls is important. User input has to be quoted first and afterwards possibly existing wildcard characters escaped - not the other way around! A wrong order might cause wildcard characters not to be correctly escaped and data shown to a user which is not intented to be displayed!

Following is example code for the WHERE part of a database query:

  • WRONG: "1 AND foo LIKE '" . $GLOBALS['TYPO3_DB']->quoteStr( $GLOBALS['TYPO3_DB']->escapeStrForLike($bar, 'tx_table'), 'tx_table') . "%'";
  • CORRECT: "1 AND foo LIKE '" . $GLOBALS['TYPO3_DB']->escapeStrForLike( $GLOBALS['TYPO3_DB']->quoteStr($bar, 'tx_table'), 'tx_table') . "%'";

So please check your code for the correct order of these method calls!


No comments yet. Be the first to comment on this!

Sorry, comments are closed for this post.