[Catalyst] Input/Parameter Checks
Ash Berlin
ash_cpan at firemirror.com
Thu Dec 13 23:02:39 GMT 2007
On 13 Dec 2007, at 22:43, Jonathan Rockway wrote:
>
> On Thu, 2007-12-13 at 21:53 +0000, Ash Berlin wrote:
>> 2) avoiding SQL injection
>>
>> This is simple. never interpolate *anything* from the user into SQL.
>> Use placeholders. Or better yet use an ORM such as DBIx::Class.
>
> Be mindful of these cases, though:
>
> # 1
> my $col = $req->params->{col};
> $rs->search({}, { order_by => \"$col DESC" });
>
Agreed. I never do anything like that anyways ;)
> # 2
> my $user = $rs->create({
> is_admin => 0,
> username => $c->req->param('username'),
> });
This comes under "never interpolate *anything* from the user into SQL."
>
>
> It's easy to write insecure code even with advanced ORMs and
> frameworks.
> Just not quite as easy as it is in PHP :)
>
> Regards,
> Jonathan Rockway
More information about the Catalyst
mailing list