I am trying to debug an issue (not my own code) with strings getting escaped and re-escaped repeatedly as the item is resaved.
The code uses mysql_real_escape_string but even though magic quotes are turned off the post variables are already quoted when my action is called and so the call to mysql_real_escape_string doubles up the quotes. and then every time the item is resaved more and more slashes pile up.
So I need to make sure the item is escaped (once) before going to the database but then un-escaped when displayed on the page.
My action begins like so:
public function adminAction() {
$prizes = $_POST['tx_xxx_bingofrontend']['prize'];
//at this point my prize[] elements are already quoted, why?
foreach ($prizes as $key => $prize) {
foreach ($prize as $field => $value) {
// echo "Magic quotes is " . (get_magic_quotes_gpc() ? "ON" : "OFF");
// echo strip_tags($value) ;die;
// OFF gets printed
$cleanedValues[$field] = mysql_real_escape_string(strip_tags($value));
}
.... more code
I am using typo3 v4.5.30 , is there a typo3 setting or possibly an extension api call made somewhere that calls does the escaping before my action code fires?
How can I make sure the strings get displayed properly and resaved properly?
Thanks!
UPDATE: I now have this code:
public function adminAction() {
$postsvars = t3lib_div::_POST();
$prizes = $postsvars['tx_xxx_xxfrontend']['prize'];
foreach ($prizes as $key => $prize) {
foreach ($prize as $field => $value) {
//echo "Magic quotes is " . (get_magic_quotes_gpc() ? "ON" : "OFF");
// echo strip_tags($value) ;die;
$cleanedValues[$field] = $GLOBALS['TYPO3_DB']->quoteStr(strip_tags($value),'tx_xxx_domain_model_prize' );
which runs before each before update and create and it properly adds the slashes ( I'm not sure how it uses my tablename in the call but it seems to work so ok). But when I read stuff up and remove the slashes to display like so in my model:
public function UnEscapePrize( ){
$this->setTitle(stripslashes( $this->getTitle()));
..... other vars get un-escaped
}
the removal of slashes gets saved into the database which is not what I want. I just want to remove them for the view. How can I do so?
UPDATE 2 : or am I worried over nothing? is typo3 4.5.3/extbase 1.3 susceptible to sql injection attacks when using the default update and add methods? If it uses string concat to piece together sql then it may be but if it uses prepared statement it isn't. I come from a place that still used alot of string concat sql so this worry is just second nature to me.
TYPO3 auto-escapes POST variables, this is correct.
The proper way to access them in typo3 is t3lib_div::_POST($name)
, which will give you them unescaped.
See the documentation.