On Wed, Oct 22, 2008 at 02:34:19AM -0700, Ovid wrote:
>
> Because multiple parameters are supplied, the data structure
> changes! All an attacker needs to do is is tack on a duplicate
> parameter to a query string a see if the code crashes.
Isn't that what validating input is all about?
Perhaps $c->req->parameters is too low-level to be using in your
controllers.
I do something like this:
sub foo : Local {
my ( $self, $c ) = @_;
# do something if validation fails.
die 'naughty user' unless $c->validate_form;
# Now safely use your validated input.
my $form = $c->stash->{form};
my $sport = $form->value( 'sport' );
...
}
Fields that accept only scalars only validate for single values, etc.
Parameter validation doesn't have to be just for posted forms.
--
Bill Moseley
[EMAIL PROTECTED]
Sent from my iMutt
_______________________________________________
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
