[Catalyst] Input/Parameter Checks
Mark Blythe
list at markblythe.com
Thu Dec 13 23:32:41 GMT 2007
On 12/13/07, Jonathan Rockway <jon at jrock.us> wrote:
>
>
> Be mindful of these cases, though:
>
> # 2
> my $user =3D $rs->create({
> is_admin =3D> 0,
> username =3D> $c->req->param('username'),
> });
Are you sure about this one? I just tested this with DBI_TRACE, and it does
appear to use bind variables when generating the INSERT statement. I tried
tripping it up with SQL injections, tossing in quotes, semicolons, etc, and
it always handled it gracefully, as it should when properly using binds.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.scsys.co.uk/pipermail/catalyst/attachments/20071213/99136=
413/attachment.htm
More information about the Catalyst
mailing list