On 13 Dec 2007, at 23:42, Jonathan Rockway wrote:
On Thu, 2007-12-13 at 23:02 +0000, Ash Berlin wrote:
# 2
my $user = $rs->create({
is_admin => 0,
username => $c->req->param('username'),
});
This comes under "never interpolate *anything* from the user into
SQL."
Well, you have to get data into the database somehow. It goes without
saying that the $rs->create call validates the data.
The issue here is using param(), which returns *a list* in list
context.
The thing that => points to is not coerced to scalar context. So in
this case you're hoping the list only has one element, but you're not
guaranteeing this in any way. Consider a query string like
username=foo&username=is_admin&username=1.
Here,
{ username => $req->param('username') }
would be the same as
{ username => qw/foo is_admin 1/ }
A common mistake.
This is very subtle and it's probably a security hole lurking in many,
many apps.
Regards,
Jonathan Rockway
Right you are.
/me goes to check that all of his inputs come are parsed by
FormValidator::Simple
Yup, that should avoid that problem for me then.
_______________________________________________
List: [email protected]
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/[EMAIL PROTECTED]/
Dev site: http://dev.catalyst.perl.org/
