[Catalyst] Feature Request: Parameter Junctions
Bill Moseley
moseley at hank.org
Thu Oct 23 04:50:00 BST 2008
On Wed, Oct 22, 2008 at 02:34:19AM -0700, Ovid wrote:
>
> Because multiple parameters are supplied, the data structure
> changes! All an attacker needs to do is is tack on a duplicate
> parameter to a query string a see if the code crashes.
Isn't that what validating input is all about?
Perhaps $c->req->parameters is too low-level to be using in your
controllers.
I do something like this:
sub foo : Local {
my ( $self, $c ) = @_;
# do something if validation fails.
die 'naughty user' unless $c->validate_form;
# Now safely use your validated input.
my $form = $c->stash->{form};
my $sport = $form->value( 'sport' );
...
}
Fields that accept only scalars only validate for single values, etc.
Parameter validation doesn't have to be just for posted forms.
--
Bill Moseley
moseley at hank.org
Sent from my iMutt
More information about the Catalyst
mailing list