From: "Daniel McBrearty" <[EMAIL PROTECTED]>
If you read closely (p43), re SQL injection :
"We record any failures to process our inputs appropriately as broken
only, i.e., when an
exception is raised that stems directly from the SQL processing rather
than the application logic. We record a solution as correct if it
processes acceptable inputs correctly and rejects inacceptable inputs
with an error message produced under proper control of the
application. Note that in this approach, an application flagged as
broken may actually be acceptable (in particular: secure), but it is
impossible to be sure from the outside so we
take a conservative approach."
I'd guess that they got a cat exception passed up from DBIx::Class,
and classified that as broken, basically because the team didn't
actually catch the error. But even so, the db itself would have been
safe.
Is Catalyst showing DBIx::Class errors in the browser if the program doesn't
have the Debug module active?
I thought it shows that page with "Please come back later" in a few
languages.
Octavian
_______________________________________________
List: Catalyst@lists.rawmode.org
Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/
Dev site: http://dev.catalyst.perl.org/
