Whenever you are using GET/POST parameters in SQL queries, you have to face the risk of running into SQL injection. The golden rule here is not to trust user parameters, but always properly check and escape values. This article introduces a TYPO3 extension, which helps to sanitize parameters by extending TypoScript stdWrap. PLEASE ALSO READ THE COMMENTS ON THIS ARTICLE FOR UPDATES IN THE TYPO3 CORE TO TACKLE THIS ISSUE!
Using GET/POST vars in SQL queries involves the risk of SQL injection if the parameter is not properly sanitized. There are lots of warnings and documents around in the web on how to prevent this in PHP scripts. But what about TypoScript?