[Catalyst] Input/Parameter Checks

Jonathan Rockway jon at jrock.us
Thu Dec 13 22:43:54 GMT 2007


On Thu, 2007-12-13 at 21:53 +0000, Ash Berlin wrote:
> 2) avoiding SQL injection
> 
> This is simple. never interpolate *anything* from the user into SQL.  
> Use placeholders. Or better yet use an ORM such as DBIx::Class.

Be mindful of these cases, though:

  # 1
  my $col = $req->params->{col};
  $rs->search({}, { order_by => \"$col DESC" });

  # 2
  my $user = $rs->create({ 
      is_admin => 0,
      username => $c->req->param('username'), 
  });

It's easy to write insecure code even with advanced ORMs and frameworks.
Just not quite as easy as it is in PHP :)

Regards,
Jonathan Rockway

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.scsys.co.uk/pipermail/catalyst/attachments/20071213/2a226b0a/attachment.pgp


More information about the Catalyst mailing list