[Catalyst] PostgreSQL quoting issues

Matt S Trout dbix-class at trout.me.uk
Thu Jan 17 02:54:14 GMT 2008


On Wed, Jan 16, 2008 at 03:17:58PM +0100, Marius Kjeldahl wrote:
> I've got an application where I do the following:
> 
>     # Look up last calculated transsum if it exists
>     my $rsts = $c->model ('MintAppDB::TransSum')->find ({
>                       category => $c->req->param ('category'),
>                       sentto => $c->req->param ('sentto'),
>                       iso => $c->req->param ('iso')
>                     });

Never use $c->req->param. You're not competent to do so without screwing
it up, and neither am I :)

$c->req->params->{category}

will, I think, turn out to be much safer all round (or better still RUN USER
INPUT THROUGH A VALIDATOR BEFORE YOU LET IT ON THE SAME SUBNET AS YOUR
PRODUCTION DATABASE DAMMIT :)

-- 
      Matt S Trout       Need help with your Catalyst or DBIx::Class project?
   Technical Director                    http://www.shadowcat.co.uk/catalyst/
 Shadowcat Systems Ltd.  Want a managed development or deployment platform?
http://chainsawblues.vox.com/            http://www.shadowcat.co.uk/servers/



More information about the Catalyst mailing list