[Catalyst] untainting utf8 text for db

[Mesdaq, Ali]

I inquired about this myself a few months ago. Consensus if I remember
correctly was that DBIC gives you some safety in that it uses place
holders but that does not mean your protected fully from bad input or
malicious abuse of that parameter. I personally like having input meet
specific requirements and if doesn't meet them then just reject it. But
that does not always fly especially if you HAVE to be flexible. Another
approach is rejecting input if it has characters or data that you know
you don't want or expect things like <, %, (, ), \, /, ?, `, *, +, just
as some examples. I think its better to be more strict with input than
less strict especially if its public facing. If its internal then its
different story.

Thanks,
------------------------------------------
Ali Mesdaq (CISSP, GIAC-GREM)
Security Researcher II
Websense Security Labs
http://www.WebsenseSecurityLabs.com
------------------------------------------

-----Original Message-----
From: Daniel McBrearty [mailto:danielmcbrearty at gmail.com] 
Sent: Thursday, June 05, 2008 11:22 AM
To: The elegant MVC web framework
Subject: Re: [Catalyst] untainting utf8 text for db

yes, that's what I meant. but does using the DBIx::Class construct
sanitise, provide safety and prevent unwanted babies though?

IIRC it does for creating records.

On Thu, Jun 5, 2008 at 8:10 PM, Ash Berlin <ash_cpan at firemirror.com>
wrote:
>
> On 5 Jun 2008, at 19:05, Daniel McBrearty wrote:
>
>> database contains text fields which can be in any language and 
>> contain any text and punctuation
>>
>> 1. I am getting params back via a web form to create new records. 
>> What do I do to validate input (apart from length check)?
>>
>> 2. I want to take a param and do a "like(%$param%)" search returning 
>> matching records. How do I protect this?
>
> You mean "foo LIKE '%$param%' " and its done by
>
> $rs->search({ col => { -like => "%$param%" } })
>
> -ash
>
> _______________________________________________
> List: Catalyst at lists.scsys.co.uk
> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> Searchable archive: 
> http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
> Dev site: http://dev.catalyst.perl.org/
>



--
Daniel McBrearty
email : danielmcbrearty at gmail.com
http://www.engoi.com
http://danmcb.vox.com
http://danmcb.blogger.com
find me on linkedin and facebook
BTW : 0873928131

_______________________________________________
List: Catalyst at lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive:
http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/


 Protected by Websense Messaging Security -- www.websense.com