I inquired about this myself a few months ago. Consensus if I remember correctly was that DBIC gives you some safety in that it uses place holders but that does not mean your protected fully from bad input or malicious abuse of that parameter. I personally like having input meet specific requirements and if doesn't meet them then just reject it. But that does not always fly especially if you HAVE to be flexible. Another approach is rejecting input if it has characters or data that you know you don't want or expect things like <, %, (, ), \, /, ?, `, *, +, just as some examples. I think its better to be more strict with input than less strict especially if its public facing. If its internal then its different story.
Thanks, ------------------------------------------ Ali Mesdaq (CISSP, GIAC-GREM) Security Researcher II Websense Security Labs http://www.WebsenseSecurityLabs.com ------------------------------------------ -----Original Message----- From: Daniel McBrearty [mailto:[EMAIL PROTECTED] Sent: Thursday, June 05, 2008 11:22 AM To: The elegant MVC web framework Subject: Re: [Catalyst] untainting utf8 text for db yes, that's what I meant. but does using the DBIx::Class construct sanitise, provide safety and prevent unwanted babies though? IIRC it does for creating records. On Thu, Jun 5, 2008 at 8:10 PM, Ash Berlin <[EMAIL PROTECTED]> wrote: > > On 5 Jun 2008, at 19:05, Daniel McBrearty wrote: > >> database contains text fields which can be in any language and >> contain any text and punctuation >> >> 1. I am getting params back via a web form to create new records. >> What do I do to validate input (apart from length check)? >> >> 2. I want to take a param and do a "like(%$param%)" search returning >> matching records. How do I protect this? > > You mean "foo LIKE '%$param%' " and its done by > > $rs->search({ col => { -like => "%$param%" } }) > > -ash > > _______________________________________________ > List: Catalyst@lists.scsys.co.uk > Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst > Searchable archive: > http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ > Dev site: http://dev.catalyst.perl.org/ > -- Daniel McBrearty email : danielmcbrearty at gmail.com http://www.engoi.com http://danmcb.vox.com http://danmcb.blogger.com find me on linkedin and facebook BTW : 0873928131 _______________________________________________ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/ Protected by Websense Messaging Security -- www.websense.com _______________________________________________ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/