[Catalyst] Input/Parameter Checks

John Napiorkowski jjn1056 at yahoo.com
Thu Dec 13 21:41:25 GMT 2007 

--- "Mesdaq, Ali" <amesdaq at websense.com> wrote:

> Anyone have some suggestions or references to good
> modules or best
> practices in this regards? This is mainly in regards
> to using these
> inputs in sql queries or other areas where common
> attacks against web
> applications happen. I wonder in the catalyst world
> what best practices
> are. Would it be a catalyst plugin that would best
> fit that role or a
> module that gets used in the controller possibly
> maybe just some code in
> the model? It just feels like its one of those
> things that has been
> solved by someone else way better than I would have
> done it and I am
> just not aware of it. Kinda like when I wrote my own
> logging module
> because at the time I didn't find a good one then I
> stumble accross
> log4perl and realize how badly I wasted my time!
> 
> Thanks,
> ------------------------------------------
> Ali Mesdaq (CISSP, GIAC-GREM)
> Security Researcher II
> Websense Security Labs
> http://www.WebsenseSecurityLabs.com
> ------------------------------------------

Hi,

You have a couple of questions here.  First of all,
for  hardening your SQL, I recommend you use an ORM,
like DBIx:Class or Rose::DB to act as a layer between
your front end code (collecting form params, for
instance, typically in your controller) and the actual
database.  DBIC (shorthand for DBIx::Class)
automatically uses bind parameters, which helps a lot
with the SQL inject style attacks.


For parameter checking, there's a bunch of stuff
floating around.  Please do a quick search of the
recent archives, you'll find someone asking a similar
question with a lot of discussion following.  My
personal choice for form validation is the system
based on HTML::FormFu, which integrates nicely with
Catalyst.     There is a reasonably active mailing
list as well and tons of documentation and examples. 
But your results may be better served by other things,
my opinion is far from canonical.

--john


      ____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

More information about the Catalyst mailing list