[Catalyst] Input/Parameter Checks
Ash Berlin
ash_cpan at firemirror.com
Fri Dec 14 00:11:51 GMT 2007
On 13 Dec 2007, at 23:42, Jonathan Rockway wrote:
>
> On Thu, 2007-12-13 at 23:02 +0000, Ash Berlin wrote:
>>> # 2
>>> my $user = $rs->create({
>>> is_admin => 0,
>>> username => $c->req->param('username'),
>>> });
>>
>> This comes under "never interpolate *anything* from the user into
>> SQL."
>
> Well, you have to get data into the database somehow. It goes without
> saying that the $rs->create call validates the data.
>
> The issue here is using param(), which returns *a list* in list
> context.
> The thing that => points to is not coerced to scalar context. So in
> this case you're hoping the list only has one element, but you're not
> guaranteeing this in any way. Consider a query string like
> username=foo&username=is_admin&username=1.
>
> Here,
>
> { username => $req->param('username') }
>
> would be the same as
>
> { username => qw/foo is_admin 1/ }
>
> A common mistake.
>
> This is very subtle and it's probably a security hole lurking in many,
> many apps.
>
> Regards,
> Jonathan Rockway
Right you are.
/me goes to check that all of his inputs come are parsed by
FormValidator::Simple
Yup, that should avoid that problem for me then.
More information about the Catalyst
mailing list