On Tuesday 16 June 2009 04:11:19 am Tobias Kremer wrote: > To me, this never looked like a potential security threat because > $c->req->param('name') is correctly inserted/quoted via bind > parameters, right? Well, let's see what happens, if we "pollute" the > query string a bit: > > /crashme?name=Foo&name=Bar > Using $c->req->param for this kind of purpose (or, if you ask certain people, for any purpose) is discouraged, and has been discouraged as long as I can remember, for this reason. Use $c->req->params and validate your input. (Incidentally, if you'd used $c->req->params->{name} the behavior you would have gotten would have been "WHERE name='Foo' OR name='Bar'" which can be a really useful behavior straight out of the box -- but the point stands that you have to know what your data is, know what your data needs to be, and make sure that the two are reconcileable before you do anything :)
Andrew _______________________________________________ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/