On Wed, Oct 22, 2008 at 02:34:19AM -0700, Ovid wrote: > > Because multiple parameters are supplied, the data structure > changes! All an attacker needs to do is is tack on a duplicate > parameter to a query string a see if the code crashes.
Isn't that what validating input is all about? Perhaps $c->req->parameters is too low-level to be using in your controllers. I do something like this: sub foo : Local { my ( $self, $c ) = @_; # do something if validation fails. die 'naughty user' unless $c->validate_form; # Now safely use your validated input. my $form = $c->stash->{form}; my $sport = $form->value( 'sport' ); ... } Fields that accept only scalars only validate for single values, etc. Parameter validation doesn't have to be just for posted forms. -- Bill Moseley [EMAIL PROTECTED] Sent from my iMutt _______________________________________________ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/