[Catalyst] plat_forms report published on June 20th. 2007.
Genevateam on Catalyst wins the Perl track.
Octavian Rasnita
orasnita at gmail.com
Wed Jun 20 20:25:17 GMT 2007
From: "Daniel McBrearty" <danielmcbrearty at gmail.com>
> If you read closely (p43), re SQL injection :
>
> "We record any failures to process our inputs appropriately as broken
> only, i.e., when an
> exception is raised that stems directly from the SQL processing rather
> than the application logic. We record a solution as correct if it
> processes acceptable inputs correctly and rejects inacceptable inputs
> with an error message produced under proper control of the
> application. Note that in this approach, an application flagged as
> broken may actually be acceptable (in particular: secure), but it is
> impossible to be sure from the outside so we
> take a conservative approach."
>
> I'd guess that they got a cat exception passed up from DBIx::Class,
> and classified that as broken, basically because the team didn't
> actually catch the error. But even so, the db itself would have been
> safe.
Is Catalyst showing DBIx::Class errors in the browser if the program doesn't
have the Debug module active?
I thought it shows that page with "Please come back later" in a few
languages.
Octavian
More information about the Catalyst
mailing list