[Catalyst] {OT] protecting against attacks with multilingual input
Dave Howorth
dhoworth at mrc-lmb.cam.ac.uk
Tue Dec 5 14:03:20 GMT 2006
Brandon Black wrote:
> On 12/5/06, Daniel McBrearty <danielmcbrearty at gmail.com> wrote:
>
>> This is what I'm talking about. I don't know this technique - I
>> thought the only approach was to filter input. I'm using DBIx, AFAIK
>> it does use placeholders ... ? If so, I can just take input, do some
>> basic "sanity" filtering, and store?
>
> Yes, DBIC does use placeholders in most situations. However, the
> NoBindVars-based Storage classes do not. This includes the notable
> example of MSSQL via DBD::Sybase, which uses NoBindVars to work around
> issues with FreeTDS and/or DBD::Sybase. The only really good way to
> fix this is to fix the DBD's or underlying DB libraries to properly
> support bind variables in all cases.
If you can't use bind variables, can't you just use DBI's quote method
to prevent SQL injection?
$sql_safe = $dbh->quote($value);
Cheers, Dave
More information about the Catalyst
mailing list