[Catalyst] {OT] protecting against attacks with multilingual input

Daniel McBrearty danielmcbrearty at gmail.com
Tue Dec 5 14:13:25 GMT 2006 

ah ... google to the rescue. It's obvious why, once I remembered what
an injection attack actually *is* ...  :-)


On 12/5/06, Daniel McBrearty <danielmcbrearty at gmail.com> wrote:
> thanks people, this is very helpful. Well, everything is postgresql /
> linux, so MSSQL will never be an issue.
>
> Also I only ever use utf8 ... so I guess I'm home and dry. It would be
> very neat to be able to do this without locale-switching (and
> installing).
>
> as a matter of interest, does anyone have a reference on why
> placeholders protect against injection attacks ? If that is the case,
> maybe I can even leave out \w filtering where that is appropriate to
> do that.
>
> thanks!
>
> D
>
> On 12/5/06, Brandon Black <blblack at gmail.com> wrote:
> > On 12/5/06, Daniel McBrearty <danielmcbrearty at gmail.com> wrote:
> >
> > > This is what I'm talking about. I don't know this technique - I
> > > thought the only approach was to filter input. I'm using DBIx, AFAIK
> > > it does use placeholders ... ? If so, I can just take input, do some
> > > basic "sanity" filtering, and store?
> > >
> >
> > Yes, DBIC does use placeholders in most situations.  However, the
> > NoBindVars-based Storage classes do not.  This includes the notable
> > example of MSSQL via DBD::Sybase, which uses NoBindVars to work around
> > issues with FreeTDS and/or DBD::Sybase.  The only really good way to
> > fix this is to fix the DBD's or underlying DB libraries to properly
> > support bind variables in all cases.
> >
> > > Phaylon : sure. A simple example would be, say, a multilingual web
> > > forum. A text field would have a size limit, but other than that most
> > > any utf8 character could be input.
> >
> > If your encoding is utf-8, you'll read in the perl i18n/l10n docs that
> > UTF-8 has universal definitions for \w, \W, etc.  Thus you don't
> > really even need to know the language to safely validate for word vs
> > non-word chars, just the encoding.
> >
> > -- Brandon
> >
> > _______________________________________________
> > List: Catalyst at lists.rawmode.org
> > Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst
> > Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/
> > Dev site: http://dev.catalyst.perl.org/
> >
>
>
> --
> Daniel McBrearty
> email : danielmcbrearty at gmail.com
> www.engoi.com : the multi - language vocab trainer
> BTW : 0873928131
>


-- 
Daniel McBrearty
email : danielmcbrearty at gmail.com
www.engoi.com : the multi - language vocab trainer
BTW : 0873928131

More information about the Catalyst mailing list