[Catalyst] Using C::C::FormBuilder With DBIC
hkclark at gmail.com
hkclark at gmail.com
Mon Feb 19 23:41:20 GMT 2007
On 2/18/07, Mark Zealey <mark at itsolve.co.uk> wrote:
>
> ...
> re the easy solutions presented earlier in the thread for sticking a form
> into
> a db and back again; I don't ususally make the code that simple because it
> could open up injection attacks and doesn't work too well with more
> complex
> forms or fields. I usually explicitly list which fields i want to use so
> then
> a typo in the form or a forgotten/newly added field in the form will not
> allow remote users to mess with bits of the database you don't want them
> to
> mess with. I guess you could probably use db column permissions to do that
> db-side though.
>
> Mark
>
>
The FormBuilder tutorial mentions that it limits the data that can be passed
through the forms it creates (see the "Important:" note near the bottom of
the page):
http://www.formbuilder.org/tutor/index.pl?c=3D1&s=3D7
Has anyone looked into how comprehensive these protections are against the
full range of possible attacks?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.scsys.co.uk/pipermail/catalyst/attachments/20070219/945aa=
aa5/attachment.htm
More information about the Catalyst
mailing list