[Catalyst] {OT] protecting against attacks with multilingual input

[Steve Atkins]

On Dec 5, 2006, at 5:28 AM, Daniel McBrearty wrote:

>>
>> If you're talking about sql injection then presumably you could do
>> this exactly the same as you would any other input field - use sql
>> placeholders in a prepared query rather than blindly pasting
>> untrusted input as sql.
>>
>
> This is what I'm talking about. I don't know this technique - I
> thought the only approach was to filter input. I'm using DBIx, AFAIK
> it does use placeholders ... ? If so, I can just take input, do some
> basic "sanity" filtering, and store?

Yes. It's something you should trust your ORM to get right,
rather than doing things at the application level.

Some databases don't really support placeholders, though,
so the DBD drivers fake up support instead. I'm not sure
whether I'd trust that quite as much, so it depends on the
database you're using. Postgresql or Mysql should be fine,
I've no idea about others.

There can be a lot of other pain with dealing with i18n user
data in the database, but sql injection problems shouldn't
be one of them (well, they might be occasionally, but at the
sort of level it's hard for anyone other than the DB and ORM
developers to deal with).

Cheers,
   Steve