Grokbase
Topics Posts Groups | in
x
[ help ]

[Catalyst] Input/Parameter Checks

View PostFlat  Thread  Threaded | < Prev
Mark Blythe [Catalyst] Input/Parameter Checks
| +1 vote
[ Profile | Reply to group ] [ Flat  Thread  Threaded ]
On 12/13/07, Jonathan Rockway <jon@jrock.us> wrote:
>
>
> Be mindful of these cases, though:
>
>   # 2
>   my $user =3D $rs->create({
>       is_admin =3D> 0,
> username =3D> $c->req->param('username'),
>   });


Are you sure about this one?  I just tested this with DBI_TRACE, and it does
appear to use bind variables when generating the INSERT statement.  I tried
tripping it up with SQL injections, tossing in quotes, semicolons, etc, and
it always handled it gracefully, as it should when properly using binds.

Thread : [Catalyst] Input/Parameter Checks
1)
Mesdaq, Ali Anyone have some suggestions or references to good modules or best practices in this regards? This...
2)
John Napiorkowski Hi, You have a couple of questions here. First of all, for hardening your SQL, I recommend you use...
3)
Mesdaq, Ali I use DBIC with catalyst and even in cases I don't use DBIC I always use placeholders. However I...
4)
Zbigniew Lukasiak You might have a look at http://www.perlfoundation.org/perl5/index.cgi?form_processing - you'll...
5)
Ash Berlin Right there are two different issues here. 1) Form Validation To check that all fields are...
6)
Mesdaq, Ali There is also input via url which is actually a little more worrisome than form input. I wonder if...
7)
Ash Berlin $c->req->parameters includes query arguments and body/form parameters, so is there some other...
8)
apv that can crash an app and potentially expose debug info depending on one's setup. I reported it...
9)
Jonathan Rockway Be mindful of these cases, though: my $col = $req->params->{col}; $rs->search({}, { order_by =>...
 paperclip
10)
Ash Berlin Agreed. I never do anything like that anyways ;) This comes under "never interpolate *anything*...
11)
Jonathan Rockway Well, you have to get data into the database somehow. It goes without saying that the $rs->create...
 paperclip
12)
Ash Berlin Right you are. /me goes to check that all of his inputs come are parsed by FormValidator::Simple...
13)
Mesdaq, Ali Yes exactly my point in my earlier emails! I am kinda thinking that wrapper would be used like sub...
14)
Kieren Diment HTML::Sanitize seemed to work well for me when I had cause to use it at one point.
15)
Christopher H. Laco Actually, HTML::Sanitizer There's also HTML::Scrubber -=3DChris
16)
Mark Blythe Are you sure about this one? I just tested this with DBI_TRACE, and it does appear to use bind...
spacer
View PostFlat  Thread  Threaded | < Prev
Grokbase | Groups | Tags | People | Add a group | FAQ | About

Provide feedback | del.icio.us | Credits | Created by John