[Catalyst] Input/Parameter Checks
Ash Berlin
ash_cpan at firemirror.com
Thu Dec 13 21:53:27 GMT 2007
On 13 Dec 2007, at 21:21, Mesdaq, Ali wrote:
> Anyone have some suggestions or references to good modules or best
> practices in this regards? This is mainly in regards to using these
> inputs in sql queries or other areas where common attacks against web
> applications happen. I wonder in the catalyst world what best
> practices
> are. Would it be a catalyst plugin that would best fit that role or a
> module that gets used in the controller possibly maybe just some
> code in
> the model? It just feels like its one of those things that has been
> solved by someone else way better than I would have done it and I am
> just not aware of it. Kinda like when I wrote my own logging module
> because at the time I didn't find a good one then I stumble accross
> log4perl and realize how badly I wasted my time!
>
> Thanks,
Right there are two different issues here.
1) Form Validation
To check that all fields are completed, match input requirements etc.
Data::FormValidator
FormValidator::Simple
to name 2. There might be plugins for these, but dont use them, just
use the modules normally.
2) avoiding SQL injection
This is simple. never interpolate *anything* from the user into SQL.
Use placeholders. Or better yet use an ORM such as DBIx::Class.
HTH
Ash
More information about the Catalyst
mailing list