[Catalyst] Input/Parameter Checks

Mark Blythe list at markblythe.com
Thu Dec 13 23:32:41 GMT 2007


On 12/13/07, Jonathan Rockway <jon at jrock.us> wrote:
>
>
> Be mindful of these cases, though:
>
>   # 2
>   my $user =3D $rs->create({
>       is_admin =3D> 0,
>       username =3D> $c->req->param('username'),
>   });


Are you sure about this one?  I just tested this with DBI_TRACE, and it does
appear to use bind variables when generating the INSERT statement.  I tried
tripping it up with SQL injections, tossing in quotes, semicolons, etc, and
it always handled it gracefully, as it should when properly using binds.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.scsys.co.uk/pipermail/catalyst/attachments/20071213/99136=
413/attachment.htm


More information about the Catalyst mailing list