--- "Mesdaq, Ali" <[EMAIL PROTECTED]> wrote:
> Anyone have some suggestions or references to good
> modules or best
> practices in this regards? This is mainly in regards
> to using these
> inputs in sql queries or other areas where common
> attacks against web
> applications happen. I wonder in the catalyst world
> what best practices
> are. Would it be a catalyst plugin that would best
> fit that role or a
> module that gets used in the controller possibly
> maybe just some code in
> the model? It just feels like its one of those
> things that has been
> solved by someone else way better than I would have
> done it and I am
> just not aware of it. Kinda like when I wrote my own
> logging module
> because at the time I didn't find a good one then I
> stumble accross
> log4perl and realize how badly I wasted my time!
>
> Thanks,
> ------------------------------------------
> Ali Mesdaq (CISSP, GIAC-GREM)
> Security Researcher II
> Websense Security Labs
> http://www.WebsenseSecurityLabs.com
> ------------------------------------------
Hi,
You have a couple of questions here. First of all,
for hardening your SQL, I recommend you use an ORM,
like DBIx:Class or Rose::DB to act as a layer between
your front end code (collecting form params, for
instance, typically in your controller) and the actual
database. DBIC (shorthand for DBIx::Class)
automatically uses bind parameters, which helps a lot
with the SQL inject style attacks.
For parameter checking, there's a bunch of stuff
floating around. Please do a quick search of the
recent archives, you'll find someone asking a similar
question with a lot of discussion following. My
personal choice for form validation is the system
based on HTML::FormFu, which integrates nicely with
Catalyst. There is a reasonably active mailing
list as well and tons of documentation and examples.
But your results may be better served by other things,
my opinion is far from canonical.
--john
____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now.
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
_______________________________________________
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/[EMAIL PROTECTED]/
Dev site: http://dev.catalyst.perl.org/
