[Catalyst] Input/Parameter Checks
Mesdaq, Ali
amesdaq at websense.com
Thu Dec 13 23:14:01 GMT 2007
Yes exactly my point in my earlier emails! I am kinda thinking that
wrapper would be used like
sub edit : Local
{
my ($self, $c, $id) = @_;
$id = $someobject->checkInput({escape_html => 0, escape_sql => 1,
notify => 0});
And you just pass various flags or have different methods and maybe
wrappers around methods like ->checkAll and ->checkMinimum, etc.
Actually I am a little worried I have not come accross a standalone
module for validation for these things. I have seen some in bundles but
who wants to be tied to some form validation module when you don't need
to be or to try to hack around it to use it for other validation types.
I mean its not just sql attacks in forms that a concern but there is
also user generated data that can be displayed on a site and you would
need to escape any javascript code or some html and css that users can
input. That maybe is even a bigger concern for me since thats what I see
on a daily basis in my line of work.
Thanks,
------------------------------------------
Ali Mesdaq (CISSP, GIAC-GREM)
Security Researcher II
Websense Security Labs
http://www.WebsenseSecurityLabs.com
------------------------------------------
-----Original Message-----
From: Jonathan Rockway [mailto:jon at jrock.us]
Sent: Thursday, December 13, 2007 2:44 PM
To: The elegant MVC web framework
Subject: Re: [Catalyst] Input/Parameter Checks
On Thu, 2007-12-13 at 21:53 +0000, Ash Berlin wrote:
> 2) avoiding SQL injection
>
> This is simple. never interpolate *anything* from the user into SQL.
> Use placeholders. Or better yet use an ORM such as DBIx::Class.
Be mindful of these cases, though:
# 1
my $col = $req->params->{col};
$rs->search({}, { order_by => \"$col DESC" });
# 2
my $user = $rs->create({
is_admin => 0,
username => $c->req->param('username'),
});
It's easy to write insecure code even with advanced ORMs and frameworks.
Just not quite as easy as it is in PHP :)
Regards,
Jonathan Rockway
Protected by Websense Messaging Security ? www.websense.com
More information about the Catalyst
mailing list