[Catalyst] {OT] protecting against attacks with multilingual input

Daniel McBrearty danielmcbrearty at gmail.com
Tue Dec 5 14:40:48 GMT 2006


I'll never forget the hours I spent discovering that mysql needs some
little-documented command on connect, even though all tables are
declared as UTF8 ... one of the factors that decided me on postgresql
for the next version.

In the first implementation of engoi, I was pretty paranoid about
these things - there is some fairly draconian filtering going on.
However, if I can relax and let people use usernames and passwords in
their own character sets for the future, that would be a nice change
to make. It *is* supposed to be multilingual, after all ...

many thanks for the help.

On 12/5/06, Steve Atkins <steve at blighty.com> wrote:
>
> On Dec 5, 2006, at 5:28 AM, Daniel McBrearty wrote:
>
> >>
> >> If you're talking about sql injection then presumably you could do
> >> this exactly the same as you would any other input field - use sql
> >> placeholders in a prepared query rather than blindly pasting
> >> untrusted input as sql.
> >>
> >
> > This is what I'm talking about. I don't know this technique - I
> > thought the only approach was to filter input. I'm using DBIx, AFAIK
> > it does use placeholders ... ? If so, I can just take input, do some
> > basic "sanity" filtering, and store?
>
> Yes. It's something you should trust your ORM to get right,
> rather than doing things at the application level.
>
> Some databases don't really support placeholders, though,
> so the DBD drivers fake up support instead. I'm not sure
> whether I'd trust that quite as much, so it depends on the
> database you're using. Postgresql or Mysql should be fine,
> I've no idea about others.
>
> There can be a lot of other pain with dealing with i18n user
> data in the database, but sql injection problems shouldn't
> be one of them (well, they might be occasionally, but at the
> sort of level it's hard for anyone other than the DB and ORM
> developers to deal with).
>
> Cheers,
>    Steve
>
>
>
>
> _______________________________________________
> List: Catalyst at lists.rawmode.org
> Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst
> Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/
> Dev site: http://dev.catalyst.perl.org/
>


-- 
Daniel McBrearty
email : danielmcbrearty at gmail.com
www.engoi.com : the multi - language vocab trainer
BTW : 0873928131



More information about the Catalyst mailing list