[Catalyst] Input/Parameter Checks

Mesdaq, Ali amesdaq at websense.com
Thu Dec 13 22:36:26 GMT 2007 

There is also input via url which is actually a little more worrisome
than form input. I wonder if there is possible way the Catalyst dispatch
internals can be exploited in this manner. Maybe thats an area thats
already been reviewed but just mentioning it to throw it out there.

Thanks,
------------------------------------------
Ali Mesdaq (CISSP, GIAC-GREM)
Security Researcher II
Websense Security Labs
http://www.WebsenseSecurityLabs.com
------------------------------------------

-----Original Message-----
From: Ash Berlin [mailto:ash_cpan at firemirror.com] 
Sent: Thursday, December 13, 2007 1:53 PM
To: The elegant MVC web framework
Subject: Re: [Catalyst] Input/Parameter Checks


On 13 Dec 2007, at 21:21, Mesdaq, Ali wrote:

> Anyone have some suggestions or references to good modules or best 
> practices in this regards? This is mainly in regards to using these 
> inputs in sql queries or other areas where common attacks against web 
> applications happen. I wonder in the catalyst world what best 
> practices are. Would it be a catalyst plugin that would best fit that 
> role or a module that gets used in the controller possibly maybe just 
> some code in the model? It just feels like its one of those things 
> that has been solved by someone else way better than I would have done

> it and I am just not aware of it. Kinda like when I wrote my own 
> logging module because at the time I didn't find a good one then I 
> stumble accross log4perl and realize how badly I wasted my time!
>
> Thanks,

Right there are two different issues here.

1) Form Validation

To check that all fields are completed, match input requirements etc.

Data::FormValidator
FormValidator::Simple

to name 2. There might be plugins for these, but dont use them, just use
the modules normally.

2) avoiding SQL injection

This is simple. never interpolate *anything* from the user into SQL.  
Use placeholders. Or better yet use an ORM such as DBIx::Class.

HTH
Ash

_______________________________________________
List: Catalyst at lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive:
http://www.mail-archive.com/catalyst@lists.rawmode.org/
Dev site: http://dev.catalyst.perl.org/


 TO REPORT THIS AS SPAM, PLEASE CLICK THE FOLLOWING LINK: 
https://www.mailcontrol.com/sr/wQw0zmjPoHdJTZGyOCrrhg==
FSyxGlfzifoD9iskHT153bNjfUMmSqRWWoHAsN+t+VlFT3BPSZ3fr96v31ikwTrLOQQZE0Fk
xeIqDzz1EFL059DsCPCBHIo2H!nlns!GnVg+20!lsKoFWK2BIwNbU0vWLK6JPrqT2HC0tIJ+
dixD!+7sddxQMr9C3VSBKtqujQEyG9h3l8evuIY  


 Protected by Websense Messaging Security ? www.websense.com

More information about the Catalyst mailing list