[Catalyst] plat_forms report published on June 20th. 2007. Geneva team on Catalyst wins the Perl track.

Alvar Freude alvar at a-blast.org
Thu Jun 21 00:29:02 GMT 2007


-- Bill Moseley <moseley at hank.org> wrote:

> I only scanned the report, but lots of interesting bits in there.
> The two PHP teams used the same framework (and not sure about the
> third, but perhaps similar), where the Perl and Java teams had a wider
> range of frameworks.  Might explain why the PHP teams had seemingly
> similar results.

The Zend team had to use the Zend Framework.

The Oxid Team (the winner team from PHP) wrote everything from scratch.

And for the 3rd I am not sure, should be written in the report ;-) ...

> I found it odd that the Perl frameworks had the SQL injection
> problems.  Most probably expected PHP to be weak there -- just
> goes to show how much bad PHP everyone is used to seeing.

The Problem is here:
If there is an "internal server error" this is seen as "broken" and =

"perhaps SQL injection possible". If wrong inputs are rejected, it is =

voted as "OK".
This tests were made without looking into the source.

After some protest the wording is a little bit friendlier for the teams =

with "internal server error".

I looked into the code of the Perl teams: They use all an ORM wrapper =

(DBIx::Class or DBIx::DataModel), which should be safe.

But each team uses plain SQL in at least one query. Team 2 uses bind =

parameters and this is safe. Team 1 uses variables in SQL, but it seems =

to me that the values are clean.

Team 5 uses in one file a lot of SQL statements, and NO bind varibales. =

It seems to me (!) that they get the unfiltered data and inclde it in =

SQL. Uuups!

  (Perl Platform Representative in this contest)

-- =

** Alvar C.H. Freude, http://alvar.a-blast.org/
** http://www.wen-waehlen.de/
** http://odem.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : http://lists.scsys.co.uk/pipermail/catalyst/attachments/20070621/6490=

More information about the Catalyst mailing list