[Catalyst] Input/Parameter Checks
Jonathan Rockway
jon at jrock.us
Thu Dec 13 22:43:54 GMT 2007
On Thu, 2007-12-13 at 21:53 +0000, Ash Berlin wrote:
> 2) avoiding SQL injection
>
> This is simple. never interpolate *anything* from the user into SQL.
> Use placeholders. Or better yet use an ORM such as DBIx::Class.
Be mindful of these cases, though:
# 1
my $col = $req->params->{col};
$rs->search({}, { order_by => \"$col DESC" });
# 2
my $user = $rs->create({
is_admin => 0,
username => $c->req->param('username'),
});
It's easy to write insecure code even with advanced ORMs and frameworks.
Just not quite as easy as it is in PHP :)
Regards,
Jonathan Rockway
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.scsys.co.uk/pipermail/catalyst/attachments/20071213/2a226b0a/attachment.pgp
More information about the Catalyst
mailing list