[Catalyst] {OT] protecting against attacks with multilingual input
Brandon Black
blblack at gmail.com
Tue Dec 5 13:48:04 GMT 2006
On 12/5/06, Daniel McBrearty <danielmcbrearty at gmail.com> wrote:
> This is what I'm talking about. I don't know this technique - I
> thought the only approach was to filter input. I'm using DBIx, AFAIK
> it does use placeholders ... ? If so, I can just take input, do some
> basic "sanity" filtering, and store?
>
Yes, DBIC does use placeholders in most situations. However, the
NoBindVars-based Storage classes do not. This includes the notable
example of MSSQL via DBD::Sybase, which uses NoBindVars to work around
issues with FreeTDS and/or DBD::Sybase. The only really good way to
fix this is to fix the DBD's or underlying DB libraries to properly
support bind variables in all cases.
> Phaylon : sure. A simple example would be, say, a multilingual web
> forum. A text field would have a size limit, but other than that most
> any utf8 character could be input.
If your encoding is utf-8, you'll read in the perl i18n/l10n docs that
UTF-8 has universal definitions for \w, \W, etc. Thus you don't
really even need to know the language to safely validate for word vs
non-word chars, just the encoding.
-- Brandon
More information about the Catalyst
mailing list