[Catalyst] Input/Parameter Checks

Ash Berlin ash_cpan at firemirror.com
Thu Dec 13 23:02:39 GMT 2007


On 13 Dec 2007, at 22:43, Jonathan Rockway wrote:

>
> On Thu, 2007-12-13 at 21:53 +0000, Ash Berlin wrote:
>> 2) avoiding SQL injection
>>
>> This is simple. never interpolate *anything* from the user into SQL.
>> Use placeholders. Or better yet use an ORM such as DBIx::Class.
>
> Be mindful of these cases, though:
>
>  # 1
>  my $col = $req->params->{col};
>  $rs->search({}, { order_by => \"$col DESC" });
>

Agreed. I never do anything like that anyways ;)

>  # 2
>  my $user = $rs->create({
>      is_admin => 0,
>      username => $c->req->param('username'),
>  });

This comes under "never interpolate *anything* from the user into SQL."

>
>
> It's easy to write insecure code even with advanced ORMs and  
> frameworks.
> Just not quite as easy as it is in PHP :)
>
> Regards,
> Jonathan Rockway





More information about the Catalyst mailing list