Sanitize user-input in TYPO3 repository function needed? - typo3

I have a TYPO3 repository function that create a like-query.
I wonder, if I have to sanitize the user input to prevent sql-injection and if so, how.
I read s.th. that this is automatically done by the doctrine layer.
I'm on TYPO3 9.5.
Please advice.
Here is my repository-class together with the function:
class ProductRepository extends \TYPO3\CMS\Extbase\Persistence\Repository
{
/**
* find
*
* #return Tx_Extbase_Persistence_QueryResult
*/
public function findAllLike( $name) {
$query = $this->createQuery();
$orConstraints = array();
$orConstraints[] = $query->like('productname', '%'.$name.'%');
$orConstraints[] = $query->like('tradename','%'.$name.'%');
$constraints[] = $query->logicalOr($orConstraints);
return $query->matching($query->logicalAnd($constraints))->execute();
}


Yes you have to escape your like query
see the documentation on TYPO3 Querybuilder
https://docs.typo3.org/m/typo3/reference-coreapi/master/en-us/ApiOverview/Database/QueryBuilder/Index.html#database-query-builder-escape-like-wildcards

Related

TYPO3 FileReference repository query search through file name

I have made a 'document' model which contains a field 'file' which is a FileReference. Now im working on a repository query function that retrieves all documents containing certain string in the files name ( using $query->like() for this ). However I run against the following error:
When ever I disable this $query->like and I debug the 'document' that I receive it looks like the relation information regarding the field 'uidLocal' is correct because I receive the name of the file.
Some more code im using:
class FileReference extends \TYPO3\CMS\Extbase\Domain\Model\FileReference
{
/**
* #var \**\***\Domain\Model\File
*/
protected $uidLocal;
/**
* #param \**\***\Domain\Model\File $uidLocal
* #return void
*/
public function setUidLocal($uidLocal)
{
$this->uidLocal = $uidLocal;
}
/**
* #return \**\***\Domain\Model\File
*/
public function getUidLocal()
{
return $this->uidLocal;
}
}
The repository query:
$query->matching(
$query->logicalAnd(
$query->greaterThanOrEqual('crdate', $from),
$query->contains('usergroups', $participant),
// TODO: Onderstaande check moet aan maar resulteerd in error..
$query->like('file.uidLocal.name', '%'.$filename.'_'.$type.'.%')
)
);
Now I can ofcourse filter the document name after the query but that wont do well for the performance of the task. Does anyone know what im missing and where the error comes from?
Thanks in advance for contributing ideas,
Falko

I guess you are trying something like that?
$query = $this->createQuery();
$query->matching($query->like('file.uidLocal.name', '%somefile%'));
I am not sure if you can join from sys_file_reference to sys_file with extbase query.
For me it looks like the TCA or the FileReference Model is not implemented that way.
Maybe a workaround is to create a custom sql query wich returns uids and then create your document models with something like ->findAllByUids($uids);
Here is a working example wich uses the query builder instead of extbase query.
class ArticleRepository extends Repository
{
public function findAllByFilename($filename)
{
/* #var $queryBuilder \TYPO3\CMS\Core\Database\Query\QueryBuilder */
$queryBuilder = GeneralUtility::makeInstance(ConnectionPool::class)
->getQueryBuilderForTable('tx_example_domain_model_article');
$queryBuilder->setRestrictions(GeneralUtility::makeInstance(FrontendRestrictionContainer::class));
$res = $queryBuilder
->select('article.uid')
->from('tx_example_domain_model_article', 'article')
->leftJoin('article', 'sys_file_reference', 'reference',
$queryBuilder->expr()->andX(
$queryBuilder->expr()->eq('reference.uid_foreign', $queryBuilder->quoteIdentifier('article.uid')),
$queryBuilder->expr()->eq('reference.tablenames', $queryBuilder->quote('tx_example_domain_model_article')),
$queryBuilder->expr()->eq('reference.fieldname', $queryBuilder->quote('image')),
$queryBuilder->expr()->eq('reference.table_local', $queryBuilder->quote('sys_file'))
))
->leftJoin('article', 'sys_file', 'file',
$queryBuilder->expr()->eq('file.uid', $queryBuilder->quoteIdentifier('reference.uid_local'))
)
->where($queryBuilder->expr()->eq('file.name', $queryBuilder->createNamedParameter($filename)))
->execute();
debug($queryBuilder->getSQL());
$uids = [];
while ($row = $res->fetch()) {
$uids[] = $row['uid'];
}
return $this->findAllByUids($uids);
}
public function findAllByUids($uids) {
$query = $this->createQuery();
$query->matching($query->in('uid', $uids));
return $query->execute();
}

conversion of magento 1 into magento 2

I was using fetch_assoc() method in magento 1 .
I want to convert it into Magento 2 . there is no fetch_assoc() method in magento 2.
if(is_object($result))
{
while ($resultsArray =$result->fetch_assoc())
{
if(empty($data))
{
$data[] = array_keys($resultsArray);
}
$data[] = $resultsArray;
} var_dump($data);
}

I'm not sure my proposed solution is useful for you or not but the best approach to fetch data in Magento 2 is based on Models and Collections.
Step 1: Firstly, you have to create a Model file in your module
<?php
namespace <Vendor_Name>\<Module_Name>\Model;
use Magento\Framework\Model\AbstractModel;
class Data extends AbstractModel
{
protected function _construct()
{
$this->_init('<Vendor_Name>\<Module_Name>\Model\ResourceModel\Data');
}
}
Step 2: Create ResourceModel file in your custom module
<?php
namespace <Vendor_Name>\<Module_Name>\Model\ResourceModel;
use \Magento\Framework\Model\ResourceModel\Db\AbstractDb;
class Data extends AbstractDb
{
protected function _construct()
{
// Second parameter is a primary key of the table
$this->_init('Table_Name', 'id');
}
}
Step 3: Create Collection file to initialize Model and ResourceModel files.
namespace <Vendor_Name>\<Module_Name>\Model\ResourceModel\Data;
use Magento\Framework\Model\ResourceModel\Db\Collection\AbstractCollection;
class Collection extends AbstractCollection
{
protected function _construct()
{
$this->_init(
'<Vendor_Name>\<Module_Name>\Model\Data',
'<Vendor_Name>\<Module_Name>\Model\ResourceModel\Data'
);
}
}
Step 4: Last thing that you need to do is create a Block file in the same module and utilize collection, something like this:
namespace <Vendor_Name>\<Module_Name>\Block;
use Magento\Framework\View\Element\Template\Context;
use Magento\Framework\View\Element\Template;
use <Vendor_Name>\<Module_Name>\Model\Data as DataCollection;
class Custom_Module extends Template
{
protected $dataCollection;
public function __construct(Context $context, DataCollection $dataCollection)
{
$this->_dataCollection = $dataCollection;
parent::__construct($context);
}
public function getDataCollecton()
{
$collection = $this->_dataCollection->getCollection();
return $collection;
}
}
Another Solution
You can also use fetchAll instead of fetch_assoc() in Magento 2, if you don't want to implement models and collections based solution, something like this:
// Select Data from table
$sql = "Select * FROM " . $tableName;
$result = $connection->fetchAll($sql);
and for reference, you can also have a look into Magento2 – Write Custom Mysql Query (Without Using Model)

I think we can use something like below :
$adapter = $this->resourceConnection->getConnection($resource);
$stmt = $adapter->query($sql);
// Use FETCH_NUM so we are not dependent on the CASE attribute of the PDO connection
$results = $stmt->fetchAll(\Zend_Db::FETCH_ASSOC);
Or if we have $connection instanceof \Magento\Framework\DB\Adapter\AdapterInterface
$connection->fetchAll($sql, $binds, \PDO::FETCH_ASSOC);
By using those, i think you're gonna get the same result to magento 1 fetch_assoc

Alternative of the fetch_assoc() in magento 2 is fetchAssoc($SQL_QUERY)
Below is the example.
For get order where status is pending data using fetchAssoc(SQL_QUERY)
<?php
namespace Path\To\Class;
use Magento\Framework\App\ResourceConnection;
class fetchAssoc {
const ORDER_TABLE = 'sales_order';
/**
* #var ResourceConnection
*/
private $resourceConnection;
public function __construct(
ResourceConnection $resourceConnection
) {
$this->resourceConnection = $resourceConnection;
}
/**
* fetchAssoc Sql Query
*
* #return string[]
*/
public function fetchAssocQuery()
{
$connection = $this->resourceConnection->getConnection();
$tableName = $connection->getTableName(self::ORDER_TABLE);
$query = $connection->select()
->from($tableName,['entity_id','status','grand_total'])
->where('status = ?', 'pending');
$fetchData = $connection->fetchAssoc($query);
return $fetchData;
}
}

In magento 2 you can use same but for that you need to create database connection.
I suggest you to use resource or collection models to get the result and if you want to get the first row in object format then you should use
getFirstItem();

I think Magento 2 has support for this in class \Magento\Framework\DB\Adapter\AdapterInterface. You can create an instance for AdapterInterface by dependency injection or directly by object manager.
$objectManager = \Magento\Framework\App\ObjectManager::getInstance();
/** #var \Magento\Framework\App\ResourceConnection $resourceConnection */
$resourceConnection = $objectManager->get(\Magento\Framework\App\ResourceConnection::class);
/** #var \Magento\Framework\DB\Adapter\AdapterInterface $connection */
$connection = $resourceConnection->getConnection(\Magento\Framework\App\ResourceConnection::DEFAULT_CONNECTION);
$sql = "YOUR SELECT QUERY HERE";
$data = $connection->fetchAssoc($sql);

Is it possible to disable lazy loading for ODM Doctrine?

We are developing API with Silex and Doctrine (ODM) and we have object Story, which have property images.
class Story extends AbstractDocument
{
/** #MongoDB\Id */
protected $id;
/**
* #MongoDB\ReferenceMany(
* targetDocument="MyNamespace\Documents\Image",
* storeAs="DBRef"
* )
*/
protected $images = [];
// Other properties and methods
}
We have get method in repository (in AbstractRepository, from which extends all other repositories).
public function get(string $documentId) : array
{
$document = $this->createQueryBuilder()
->field('id')->equals($documentId)
->hydrate(false)
->getQuery()
->toArray();
}
This method returns embedded and referenced objects, but for referenceMany returns only ids without data.
Is it possible to deny lazy loading to get all documents ?
One possible solution, which we found - rewrite method toArray.

As soon as you use ->hydrate(false) you are instructing ODM to get out of your way and return you raw data from MongoDB. You are seeing the referenceMany as an array of ids because that is the raw representation, no lazy loading is involved.
The cleanest way to solve your issue would be implementing StoryRepository which would fire an additional query to get referenced images:
public function get(string $documentId) : array
{
$document = $this->createQueryBuilder()
->field('id')->equals($documentId)
->hydrate(false)
->getQuery()
->toArray();
$document['images'] = /* ... */;
return $document;
}

Add data to TYPO3 Repository Extbase

I want to develop an extension for TYPO3 6.2.
In the controller class I created a action called "fetchFeUsersAction".
This action loads a set of data from the table fe_users in the table which was created from the extensionbuilder from the model.
The function to the get the users in the Repository looks like this:
public function getFeUsers()
{
/** #var Query $q */
$q = $this->createQuery();
$q->statement('SELECT * from fe_users');
$data = $q->execute(true);
return $data;
}
This works very fine.
But now I want to store the results from the table fe_users in my model with this action:
public function fetchFeUsersAction()
{
$data = $this->adressRepo->getFeUsers();
foreach ($data as $feuser) {
/** #var Adresse $address */
$address = $this->objectManager->get(Adresse::class);
$q= $this->adressRepo->createQuery();
$q->matching(contains('email', $feuser['email']));
$contain= $q->execute();
if($contain==NULL){
$address->setEmail($feuser['email']);
$this->adressRepo->add($address);
}
}
$this->redirect('list');
}
Here I want to check if the email adress is already stored in my table.
If the email adress is not stored it should be added to the model.
But it doesnt work. Even with an empty table. Without the condition it works very fine.

Extbase persists the complete data into the DB later. You need to persist manually i think, like this:
/** #var \TYPO3\CMS\Extbase\Persistence\Generic\PersistenceManager */
$persistenceManager = GeneralUtility::makeInstance(\TYPO3\CMS\Extbase\Persistence\Generic\PersistenceManager::class);
$persistenceManager->persistAll();
Not currently tested, just copied it from my of my extensions. but in there i had the same problem to check if it exists.
Hope this helps a little bit.

Using Image Content Objects from tt_content in Extbase

I want to write an Extbase Backend module which needs a list of all Objects generated from tt_content with CType = 'image'.
Now I started defining a simple model
class Tx_Myextension_Domain_Model_Content extends Tx_Extbase_DomainObject_AbstractEntity
{
/**
* #var string
*/
protected $header;
/**
* #return the $header
*/
public function getHeader()
{
return $this->header;
}
/**
* #param string $header
*/
public function setHeader($header)
{
$this->header = $header;
}
}
and a Repository
class Tx_Myextension_Domain_Repository_ContentRepository extends Tx_Extbase_Persistence_Repository
{
public function initializeObject()
{
$querySettings = $this->objectManager->create('Tx_Extbase_Persistence_Typo3QuerySettings');
$querySettings->setRespectStoragePage(FALSE);
$this->setDefaultQuerySettings($querySettings);
}
}
As far as I know the initializeObject method is a way to get all content elements, no matter which pid they have.
At last I tried to map my Content Class on tt_content:
plugin.tx_myextension {
persistence {
classes {
Tx_Myextension_Domain_Model_Content {
mapping {
tableName = tt_content
recordType = Tx_Myextension_Domain_Model_Content
columns {
header.mapOnProperty = header
}
}
}
}
}
}
module.tx_myextension {
persistence < plugin.tx_myextension.persistence
}
No I want to use the Repo. e.g. countAll. Unfortunately it always returns 0. Looking for the MySQL query discovers the problem:
SELECT COUNT(*)
FROM tt_content
WHERE (tt_content.CType='Tx_Myextension_Domain_Model_Content')
AND tt_content.deleted=0 AND tt_content.hidden=0
AND (tt_content.starttime<=1313073660)
AND (tt_content.endtime=0 OR tt_content.endtime>1313073660)
AND tt_content.sys_language_uid IN (0,-1)
AND tt_content.pid IN (0)
Typo 3 or Extbase or something different added all these where clauses to the query. I just want to get rid of the CType and pid clauses. As I said, I thought that the method used in the Repo leads to ignoring the pid, which is obviously not the case.
Can somebody help me? All I want is an array of Image Content Elements. Thank you in advance.

Late answer: You'll most likely want to call
query->getQuerySettings()
->setRespectEnableFields(FALSE)
->setRespectSysLanguage(FALSE);
for your query. You can disable it for all queries in your repository's initializeObject method:
$querySettings = $this->objectManager->create('Tx_Extbase_Persistence_Typo3QuerySettings');
$querySettings
->setRespectStoragePage(FALSE)
->setRespectEnableFields(FALSE)
->setRespectSysLanguage(FALSE);
$this->setDefaultQuerySettings($querySettings);
See: TYPO 3 API docs

Try to remove the Node "recordType" from your Persistence Definition.