There is also input via url which is actually a little more worrisome than form input. I wonder if there is possible way the Catalyst dispatch internals can be exploited in this manner. Maybe thats an area thats already been reviewed but just mentioning it to throw it out there.
Thanks, ------------------------------------------ Ali Mesdaq (CISSP, GIAC-GREM) Security Researcher II Websense Security Labs http://www.WebsenseSecurityLabs.com ------------------------------------------ -----Original Message----- From: Ash Berlin [mailto:[EMAIL PROTECTED] Sent: Thursday, December 13, 2007 1:53 PM To: The elegant MVC web framework Subject: Re: [Catalyst] Input/Parameter Checks On 13 Dec 2007, at 21:21, Mesdaq, Ali wrote: > Anyone have some suggestions or references to good modules or best > practices in this regards? This is mainly in regards to using these > inputs in sql queries or other areas where common attacks against web > applications happen. I wonder in the catalyst world what best > practices are. Would it be a catalyst plugin that would best fit that > role or a module that gets used in the controller possibly maybe just > some code in the model? It just feels like its one of those things > that has been solved by someone else way better than I would have done > it and I am just not aware of it. Kinda like when I wrote my own > logging module because at the time I didn't find a good one then I > stumble accross log4perl and realize how badly I wasted my time! > > Thanks, Right there are two different issues here. 1) Form Validation To check that all fields are completed, match input requirements etc. Data::FormValidator FormValidator::Simple to name 2. There might be plugins for these, but dont use them, just use the modules normally. 2) avoiding SQL injection This is simple. never interpolate *anything* from the user into SQL. Use placeholders. Or better yet use an ORM such as DBIx::Class. HTH Ash _______________________________________________ List: [email protected] Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/[EMAIL PROTECTED]/ Dev site: http://dev.catalyst.perl.org/ TO REPORT THIS AS SPAM, PLEASE CLICK THE FOLLOWING LINK: https://www.mailcontrol.com/sr/wQw0zmjPoHdJTZGyOCrrhg== FSyxGlfzifoD9iskHT153bNjfUMmSqRWWoHAsN+t+VlFT3BPSZ3fr96v31ikwTrLOQQZE0Fk xeIqDzz1EFL059DsCPCBHIo2H!nlns!GnVg+20!lsKoFWK2BIwNbU0vWLK6JPrqT2HC0tIJ+ dixD!+7sddxQMr9C3VSBKtqujQEyG9h3l8evuIY Protected by Websense Messaging Security ? www.websense.com _______________________________________________ List: [email protected] Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/[EMAIL PROTECTED]/ Dev site: http://dev.catalyst.perl.org/
