[Catalyst] {OT] protecting against attacks with multilingual input

Nilson Santos Figueiredo Junior acid06 at gmail.com
Tue Dec 5 20:35:28 GMT 2006

On 12/5/06, Daniel McBrearty <danielmcbrearty at gmail.com> wrote:
> In the first implementation of engoi, I was pretty paranoid about
> these things - there is some fairly draconian filtering going on.
> However, if I can relax and let people use usernames and passwords in
> their own character sets for the future, that would be a nice change
> to make. It *is* supposed to be multilingual, after all ...

If you're using, AFAIK, DBIC you shouldn't really need to worry about
SQL injection (at least not under MySQL or Pg). Then, if you're
worried that some evil user might try injecting some javascript into
their username, all you need to do is to filter the output using one
of the numerous TT filters that suit your case (and that's the correct
place to do it, since it's a HTML limitation and thus, something that
only matters to this view).

This way, everything will probably just work, even when the user has a
"<" on their names or any other weird characters.

-Nilson Santos F. Jr.

More information about the Catalyst mailing list