[Catalyst] PostgreSQL quoting issues
Matt S Trout
dbix-class at trout.me.uk
Thu Jan 17 02:54:14 GMT 2008
On Wed, Jan 16, 2008 at 03:17:58PM +0100, Marius Kjeldahl wrote:
> I've got an application where I do the following:
>
> # Look up last calculated transsum if it exists
> my $rsts = $c->model ('MintAppDB::TransSum')->find ({
> category => $c->req->param ('category'),
> sentto => $c->req->param ('sentto'),
> iso => $c->req->param ('iso')
> });
Never use $c->req->param. You're not competent to do so without screwing
it up, and neither am I :)
$c->req->params->{category}
will, I think, turn out to be much safer all round (or better still RUN USER
INPUT THROUGH A VALIDATOR BEFORE YOU LET IT ON THE SAME SUBNET AS YOUR
PRODUCTION DATABASE DAMMIT :)
--
Matt S Trout Need help with your Catalyst or DBIx::Class project?
Technical Director http://www.shadowcat.co.uk/catalyst/
Shadowcat Systems Ltd. Want a managed development or deployment platform?
http://chainsawblues.vox.com/ http://www.shadowcat.co.uk/servers/
More information about the Catalyst
mailing list