-1

i am reworking some old typo3 project extensions. the problem is we have to stay on that pibase structure as it is supported by core anyway. so that extension does some simple CRUD operations, in my case an insert based on submitted values via $_POST. so the old extension just used $_POST directly which is not supported anymore, i guess since the PSR-7 Request/Response implementation.

but now how can i access the submitted values since $_POST is not available anymore and i do not have $this->request either because the extension extends AbstractPlugin.

edit: also we are not inside main() the codeblock is within sendMail()

i also have no idea were sendMail gets called from as there is no available documentation for pibase.

help is much appreciated

netzding
  • 772
  • 4
  • 21
  • wasn't $_get and $_post in $piVars in piBase? https://api.typo3.org/master/class_t_y_p_o3_1_1_c_m_s_1_1_frontend_1_1_plugin_1_1_abstract_plugin.html#ac45d6dc33b89ab0f9f493aa61783d10e – Jonas Eberle Jun 02 '20 at 09:35
  • ye thought the same but $this->piVars is just empty all the way – netzding Jun 02 '20 at 09:37

1 Answers1

1

you can access the GET and POST parameters with \TYPO3\CMS\Core\Utility\GeneralUtility::_GP('name')

but for security reasons that might be filtered away.

we have the concept of cHashes which secure the site against injected parameter. all parameters must be known and are secured aby a hash. TYPO3 remembers the parameter by the cHash. if a cHash is given, the paramters are fetched from database and paramters given to the server are ignored.

for forms (like ext:form or ext:powermail) there are no cHashes generated and the fields of the form can be processed.

if you have 'naked' forms and plain php-files to process, you should change to a form extension where you can use the existing finishers and can add addional finishers (and validators), for these finishers the form data is secured against injection and you do not need to access $_GET or $_POST.

EDIT:
Here is a question/answer how to disable cHash calculation for single form values: TYPO3 - Deactivating cHash in own extension - 8LTS

Bernd Wilke πφ
  • 10,390
  • 1
  • 19
  • 38
  • in my case its a tx_pluginName_pi1.php file for logic with main() and sendMail(), res/template.html for template, and so on... the template contains a normal
    . i understand your answer but it seems like its not an option to refactor on a bigger scale so what are my options with "...lUtility::_GP('name')"? because this and "...lUtility::_POST('name')"/etc... are empty aswell. is there a config to maybe not filter that parameters away?
     – netzding Jun 02 '20 at 14:12
  • 1
    Added a link to my answer – Bernd Wilke πφ Jun 02 '20 at 14:50
  • you could also add \TYPO3\CMS\Core\Utility\GeneralUtility::_POST() and \TYPO3\CMS\Core\Utility\GeneralUtility::_GET() to your answer – netzding Jun 17 '20 at 14:13