[Catalyst] Re: Last Chance / Last Day: Web development platform contest and Perl / Catalyst
* Octavian Rasnita [EMAIL PROTECTED] [2006-12-05 08:40]: What wiki do you recommend? (in perl or php) I have tried TWiki, but it has some bugs that I don't know how to solve. I think they all suck. :-) I’d probably try PhpWiki first. Regards, -- Aristotle Pagaltzis // http://plasmasturm.org/ ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/
[Catalyst] FastCGI External
Hi, I have a Catalyst application that is running as an external FastCGI process. My Apache config looks like FastCgiExternalServer /tmp/myapp -socket /tmp/myapp.socket [...] Alias /myapp/ /tmp/myapp/ If I call http://localhost/myapp/user/login, Catalyst receives a request for login instead of user/login. (MyApp Log: GET request for login) On my local box, I was able to fix the problem by changing the alias directive: Alias /myapp/ /tmp/myapp/\/ as described in: http://dev.catalystframework.org/wiki/SolvedIssues#si.230, but on the server, which has a similar apache set up, the solution does not seem to work. I am currently working around the problem, by calling http://server/myapp/foo/user/login Does anybody have a clue, or can anybody explain me why the first token (foo) is ignored? Version Info: (on the Server) - Catalyst 5.7006 - FCGI 0.67 - Apache/2.0.53 (Fedora) Thank you very much, Sébastien ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Re: Last Chance / Last Day: Web development platform contest and Perl / Catalyst
Thought I'd chime in with our developer contest at www.stickam.com, since we're doing one right now. Simply: We're rewarding the most interesting third party Stickam project with $1000 and a PS3 More details here: http://labs.stickam.com/ I'd really love a Perl hacker using Catalyst to win! ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Re: Last Chance /LastDay:Webdevelopmentplatformcontestand Perl / Catalyst
Octavian Rasnita wrote: Yesterday I have installed Catalyst and Task::Catalyst under Linux, using the CPAN shell. The process gave many errors, but they disappeared beeing replaced by the new lines printed, so I don't know how to find them. I have tried install Catalyst again, thinking that I could see those errors again, but I received the message that Catalyst is up to date, so I don't know which were those errors, and which modules were not installed. Go into the cpan build directory for the distribution (typically under ~root/.cpan/build) and type 'make test'. Then you can see errors and warnings. You can save the output in the normal way. You can also run the individual tests from there (perl t/some-test.t) Cheers, Dave ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Re: Last Chance / Last Day: Web development platform contest and Perl / Catalyst
Jonathan Rockway wrote: Michael Reece wrote: cut click Catalyst::Manual::Tutorial: http://search.cpan.org/perldoc?Catalyst%3A%3AManual%3A%3ATutorial and get a big *Not found* from search.cpan.org Well, we don't control search.cpan.org, so that's really not something we can help. Nevertheless, it does mean that innocent potential users are being put off. So irrespective of fault, it's worth trying to solve the problem. Has anybody asked the CPAN people whether the problem can be fixed? Is it just an out-of-date index? Alternatively, I guess that that changing the link in Manual.pod to be explicit about the manual's distribution would help CPAN find the correct document. That seems like a sensible short-term workaround to me. Cheers, Dave ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Re: Last Chance /LastDay:Webdevelopmentplatformcontestand Perl / Catalyst
to run an individual test : perl -Ilib t/some_test_module.t On 12/5/06, Dave Howorth [EMAIL PROTECTED] wrote: Octavian Rasnita wrote: Yesterday I have installed Catalyst and Task::Catalyst under Linux, using the CPAN shell. The process gave many errors, but they disappeared beeing replaced by the new lines printed, so I don't know how to find them. I have tried install Catalyst again, thinking that I could see those errors again, but I received the message that Catalyst is up to date, so I don't know which were those errors, and which modules were not installed. Go into the cpan build directory for the distribution (typically under ~root/.cpan/build) and type 'make test'. Then you can see errors and warnings. You can save the output in the normal way. You can also run the individual tests from there (perl t/some-test.t) Cheers, Dave ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/ -- Daniel McBrearty email : danielmcbrearty at gmail.com www.engoi.com : the multi - language vocab trainer BTW : 0873928131 ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/
[Catalyst] Wikis (was: Last Chance / Last Day: Web development platform contest and Perl / Catalyst)
* Octavian Rasnita [EMAIL PROTECTED] [2006-12-05 11:45]: From: A. Pagaltzis [EMAIL PROTECTED] I think they all suck. :-) I’d probably try PhpWiki first. Ok, thanks. Do you want to say that all of them have big bugs? No, I’m just saying all of them having things I dislike a lot as a user. I wonder why there are so few wikis in perl comparing with PHP wikis, and why the best ones have big bugs, keeping in mind that perl is one of the best languages for text processing. It’s *very* easy to write a half-assed wiki engine. In fact, I wrote one by accident. (I’m not joking.) The only remotely non-trivial system design issue is versioning (although some wiki engines don’t even have that). Regards, -- Aristotle Pagaltzis // http://plasmasturm.org/ ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] {OT] protecting against attacks with multilingual input
On Tue, Dec 05, 2006 at 01:10:35PM +0100, Daniel McBrearty wrote: How does one do this? If you have a text input field which can be in *any* language, which will get stored in the db, how do you protect against script injection? If it's just english, I normally only accept characters from a given list (something like /[A-Za-z0-9]/ , plus whitespace and punctuation). But if the input can be in any language ?? Isn't there any way you could require the input to be associated with a particular language? Perl supports locale definitions which modify, for example, the set of 'word' characters matched by the \w regular expression escape. If you could dynamically switch locales to the correct one for your input text then you could trivially s/\W//g to sanitize strings. If you really have to accept input in any language without knowing what language it is, then perhaps you should take the opposite approach and test for the presence of certain characters which you can be sure would occur in program code but not typically in text. Of course, English might suffer without the dollar-sign and semicolon, and you may decide that this is overly restrictive on your users... /joel ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] {OT] protecting against attacks with multilingual input
yes, I would know the language being supported. There are a lot of languages though. Does it work with Chinese, or Marathi (Devanagari)? I didn't know that \W did that though. guess I need to look into it. Never seen that in the perldocs - any idea where I can look for the small print? On 12/5/06, Joel Bernstein [EMAIL PROTECTED] wrote: On Tue, Dec 05, 2006 at 01:10:35PM +0100, Daniel McBrearty wrote: How does one do this? If you have a text input field which can be in *any* language, which will get stored in the db, how do you protect against script injection? If it's just english, I normally only accept characters from a given list (something like /[A-Za-z0-9]/ , plus whitespace and punctuation). But if the input can be in any language ?? Isn't there any way you could require the input to be associated with a particular language? Perl supports locale definitions which modify, for example, the set of 'word' characters matched by the \w regular expression escape. If you could dynamically switch locales to the correct one for your input text then you could trivially s/\W//g to sanitize strings. If you really have to accept input in any language without knowing what language it is, then perhaps you should take the opposite approach and test for the presence of certain characters which you can be sure would occur in program code but not typically in text. Of course, English might suffer without the dollar-sign and semicolon, and you may decide that this is overly restrictive on your users... /joel ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/ -- Daniel McBrearty email : danielmcbrearty at gmail.com www.engoi.com : the multi - language vocab trainer BTW : 0873928131 ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] {OT] protecting against attacks with multilingual input
On Tue, Dec 05, 2006 at 02:11:27PM +0100, Daniel McBrearty wrote: hmmm ... I'll start here ... http://www.perl.com/doc/manual/html/pod/perllocale.html Read perllocale, perlre (the section on \w and \W escapes for word/non-word characters) and locale. You will need the correct locales compiled on your system for every language and input method you want to support - IIRC these can take up quite some disk space so there is a concommitant cost associated with handling the different languages, but I don't recall it being enormous. To be honest the one-off cost of compiling the locales is the only real downside of this approach that I can see. /joel ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] {OT] protecting against attacks with multilingual input
If you're talking about sql injection then presumably you could do this exactly the same as you would any other input field - use sql placeholders in a prepared query rather than blindly pasting untrusted input as sql. This is what I'm talking about. I don't know this technique - I thought the only approach was to filter input. I'm using DBIx, AFAIK it does use placeholders ... ? If so, I can just take input, do some basic sanity filtering, and store? XSS is not such a worry - I'm not dealing with financial transactions or such. It's more people being able to compromise the server that I am thinking of. Phaylon : sure. A simple example would be, say, a multilingual web forum. A text field would have a size limit, but other than that most any utf8 character could be input. -- Daniel McBrearty email : danielmcbrearty at gmail.com www.engoi.com : the multi - language vocab trainer BTW : 0873928131 ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] model connect info to come from YAML configuration file
Hermida, Leandro wrote: Inside MyApp::Model::MyAppDB: use strict; use base 'Catalyst::Model::DBIC::Schema'; __PACKAGE__-config( schema_class = 'MyAppDB', connect_info = [ 'dbi:SQLite:myapp.db', '', '', { AutoCommit = 1 }, ], ); Model::MyAppDB: schema_class: MyAppDB connect_info: - dbi:SQLite:myapp.db - '' - '' - AutoCommit: 1 -Brian ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/
[Catalyst] Coverage tests in Catalyst
Is it possible to do coverage tests in a Catalyst application? If so how? I can't find any references that help. ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Wikis (was: Last Chance / Last Day: Web developmentplatform contest and Perl / Catalyst)
From: A. Pagaltzis [EMAIL PROTECTED] I’d probably try PhpWiki first. Hi, Does PHPWiki support creating tables without using html code? I've checked their site, but I haven't found that something like that could be done. BTW, are there any wiki plug-ins for Catalyst? Thanks. Teddy ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] model connect info to come from YAML configuration file
On 12/5/06, Juan Miguel Paredes [EMAIL PROTECTED] wrote: On 12/5/06, Hermida, Leandro [EMAIL PROTECTED] wrote: Hello, I remember seeing the question being asked before but I couldn't find it in the archives. How does one set up the model connect info to come from the YAML configuration file? Using the tutorial as an example, I created the model file with the helper script myapp_create.pl: $ script/myapp_create.pl model MyAppDB DBIC::Schema MyAppDB dbi:SQLite:myapp.db '' '' '{ AutoCommit = 1 }' exists /root/dev/MyApp/script/../lib/MyApp/Model exists /root/dev/MyApp/script/../t created /root/dev/MyApp/script/../lib/MyApp/Model/MyAppDB.pm created /root/dev/MyApp/script/../t/model_MyAppDB.t Inside MyApp::Model::MyAppDB: use strict; use base 'Catalyst::Model::DBIC::Schema'; __PACKAGE__-config( schema_class = 'MyAppDB', connect_info = [ 'dbi:SQLite:myapp.db', '', '', { AutoCommit = 1 }, ], ); How would I then make all of the connect info dynamic and acquired from the myapp.yml file? In particular the db driver (sqlite, mysql, pg, oracle), host, port, username, password, etc. Leandro ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/ Hi, All! Currently, I have something like: __PACKAGE__-config( schema_class = 'MyAppBD', connect_info = [ MyApp-config-{'db'}, MyApp-config-{'db_user'}, MyApp-config-{'db_password'}, {AutoCommit = 1} ], ); Regards. Sorry, _send_ hitted before time... And in myapp.yml, something like: db: dbi:Pg:dbname=mydb;host=myhost db_user: myuser db_password: mypass ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] {OT] protecting against attacks with multilingual input
On 12/5/06, Daniel McBrearty [EMAIL PROTECTED] wrote: This is what I'm talking about. I don't know this technique - I thought the only approach was to filter input. I'm using DBIx, AFAIK it does use placeholders ... ? If so, I can just take input, do some basic sanity filtering, and store? Yes, DBIC does use placeholders in most situations. However, the NoBindVars-based Storage classes do not. This includes the notable example of MSSQL via DBD::Sybase, which uses NoBindVars to work around issues with FreeTDS and/or DBD::Sybase. The only really good way to fix this is to fix the DBD's or underlying DB libraries to properly support bind variables in all cases. Phaylon : sure. A simple example would be, say, a multilingual web forum. A text field would have a size limit, but other than that most any utf8 character could be input. If your encoding is utf-8, you'll read in the perl i18n/l10n docs that UTF-8 has universal definitions for \w, \W, etc. Thus you don't really even need to know the language to safely validate for word vs non-word chars, just the encoding. -- Brandon ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/
RE: [Catalyst] model connect info to come from YAML configuration file
Hi, thank you. Sorry I am a new user who has just finished the tutorial and seeing where I can go next and I now I am starting to put things together that the YAML file maps to the namespace and fills the __PACKAGE__-config() in that namespace. Cool!! Is there any way to make the YAML file a bit more user friendly? Meaning that things are more explicit to non-programmers if I were to deploy that catalyst project somewhere else. Something like: MyAppDB: driver: mysql host: dbserver.domain.com port: 3306 username: dbuser password: dbpass And then taking these parameters and generating the right config in the model? Leandro -Original Message- From: Brian Cassidy [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 05, 2006 14:29 To: The elegant MVC web framework Subject: Re: [Catalyst] model connect info to come from YAML configuration file Hermida, Leandro wrote: Inside MyApp::Model::MyAppDB: use strict; use base 'Catalyst::Model::DBIC::Schema'; __PACKAGE__-config( schema_class = 'MyAppDB', connect_info = [ 'dbi:SQLite:myapp.db', '', '', { AutoCommit = 1 }, ], ); Model::MyAppDB: schema_class: MyAppDB connect_info: - dbi:SQLite:myapp.db - '' - '' - AutoCommit: 1 -Brian ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/ ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] model connect info to come from YAML configuration file
On 12/5/06, Juan Miguel Paredes [EMAIL PROTECTED] wrote: On 12/5/06, Juan Miguel Paredes [EMAIL PROTECTED] wrote: On 12/5/06, Hermida, Leandro [EMAIL PROTECTED] wrote: Hello, I remember seeing the question being asked before but I couldn't find it in the archives. How does one set up the model connect info to come from the YAML configuration file? Using the tutorial as an example, I created the model file with the helper script myapp_create.pl: $ script/myapp_create.pl model MyAppDB DBIC::Schema MyAppDB dbi:SQLite:myapp.db '' '' '{ AutoCommit = 1 }' exists /root/dev/MyApp/script/../lib/MyApp/Model exists /root/dev/MyApp/script/../t created /root/dev/MyApp/script/../lib/MyApp/Model/MyAppDB.pm created /root/dev/MyApp/script/../t/model_MyAppDB.t Inside MyApp::Model::MyAppDB: use strict; use base 'Catalyst::Model::DBIC::Schema'; __PACKAGE__-config( schema_class = 'MyAppDB', connect_info = [ 'dbi:SQLite:myapp.db', '', '', { AutoCommit = 1 }, ], ); How would I then make all of the connect info dynamic and acquired from the myapp.yml file? In particular the db driver (sqlite, mysql, pg, oracle), host, port, username, password, etc. Leandro ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/ Hi, All! Currently, I have something like: __PACKAGE__-config( schema_class = 'MyAppBD', connect_info = [ MyApp-config-{'db'}, MyApp-config-{'db_user'}, MyApp-config-{'db_password'}, {AutoCommit = 1} ], ); Regards. Sorry, _send_ hitted before time... And in myapp.yml, something like: db: dbi:Pg:dbname=mydb;host=myhost db_user: myuser db_password: mypass In any case, Brian's approach seems the way to go... thanks a lot! ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] {OT] protecting against attacks with multilingual input
thanks people, this is very helpful. Well, everything is postgresql / linux, so MSSQL will never be an issue. Also I only ever use utf8 ... so I guess I'm home and dry. It would be very neat to be able to do this without locale-switching (and installing). as a matter of interest, does anyone have a reference on why placeholders protect against injection attacks ? If that is the case, maybe I can even leave out \w filtering where that is appropriate to do that. thanks! D On 12/5/06, Brandon Black [EMAIL PROTECTED] wrote: On 12/5/06, Daniel McBrearty [EMAIL PROTECTED] wrote: This is what I'm talking about. I don't know this technique - I thought the only approach was to filter input. I'm using DBIx, AFAIK it does use placeholders ... ? If so, I can just take input, do some basic sanity filtering, and store? Yes, DBIC does use placeholders in most situations. However, the NoBindVars-based Storage classes do not. This includes the notable example of MSSQL via DBD::Sybase, which uses NoBindVars to work around issues with FreeTDS and/or DBD::Sybase. The only really good way to fix this is to fix the DBD's or underlying DB libraries to properly support bind variables in all cases. Phaylon : sure. A simple example would be, say, a multilingual web forum. A text field would have a size limit, but other than that most any utf8 character could be input. If your encoding is utf-8, you'll read in the perl i18n/l10n docs that UTF-8 has universal definitions for \w, \W, etc. Thus you don't really even need to know the language to safely validate for word vs non-word chars, just the encoding. -- Brandon ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/ -- Daniel McBrearty email : danielmcbrearty at gmail.com www.engoi.com : the multi - language vocab trainer BTW : 0873928131 ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] {OT] protecting against attacks with multilingual input
Brandon Black wrote: On 12/5/06, Daniel McBrearty [EMAIL PROTECTED] wrote: This is what I'm talking about. I don't know this technique - I thought the only approach was to filter input. I'm using DBIx, AFAIK it does use placeholders ... ? If so, I can just take input, do some basic sanity filtering, and store? Yes, DBIC does use placeholders in most situations. However, the NoBindVars-based Storage classes do not. This includes the notable example of MSSQL via DBD::Sybase, which uses NoBindVars to work around issues with FreeTDS and/or DBD::Sybase. The only really good way to fix this is to fix the DBD's or underlying DB libraries to properly support bind variables in all cases. If you can't use bind variables, can't you just use DBI's quote method to prevent SQL injection? $sql_safe = $dbh-quote($value); Cheers, Dave ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] {OT] protecting against attacks with multilingual input
On Dec 5, 2006, at 5:28 AM, Daniel McBrearty wrote: If you're talking about sql injection then presumably you could do this exactly the same as you would any other input field - use sql placeholders in a prepared query rather than blindly pasting untrusted input as sql. This is what I'm talking about. I don't know this technique - I thought the only approach was to filter input. I'm using DBIx, AFAIK it does use placeholders ... ? If so, I can just take input, do some basic sanity filtering, and store? Yes. It's something you should trust your ORM to get right, rather than doing things at the application level. Some databases don't really support placeholders, though, so the DBD drivers fake up support instead. I'm not sure whether I'd trust that quite as much, so it depends on the database you're using. Postgresql or Mysql should be fine, I've no idea about others. There can be a lot of other pain with dealing with i18n user data in the database, but sql injection problems shouldn't be one of them (well, they might be occasionally, but at the sort of level it's hard for anyone other than the DB and ORM developers to deal with). Cheers, Steve ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/
[Catalyst] question from tutorial - does creating HTML in a controller using HTML::Widget violate MVC?
Hello all, I thought the tutorial was absolutely great - things that I had in the past spent hours developing myself are practically plug and play and it gives you a nice taste of how powerful Catalyst is! One question about the tutorial though, doesn't building presentation material inside the controller using HTML::Widget so of break the MVC concept? After reading the Catalyst intro and about MVC I thought I wouldn't be writing anything HTML or presentation specific in the M or the C parts, only in the V which are the TT files. Do I have something wrong in my thinking? Leandro ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/
[Catalyst] Re: Wikis
* Octavian Rasnita [EMAIL PROTECTED] [2006-12-05 14:45]: Does PHPWiki support creating tables without using html code? Yes. I've checked their site, but I haven't found that something like that could be done. Then you didn’t look for the text formatting rules. BTW, are there any wiki plug-ins for Catalyst? No, but look at Wiki::Toolkit. Regards, -- Aristotle Pagaltzis // http://plasmasturm.org/ ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] {OT] protecting against attacks with multilingual input
I'll never forget the hours I spent discovering that mysql needs some little-documented command on connect, even though all tables are declared as UTF8 ... one of the factors that decided me on postgresql for the next version. In the first implementation of engoi, I was pretty paranoid about these things - there is some fairly draconian filtering going on. However, if I can relax and let people use usernames and passwords in their own character sets for the future, that would be a nice change to make. It *is* supposed to be multilingual, after all ... many thanks for the help. On 12/5/06, Steve Atkins [EMAIL PROTECTED] wrote: On Dec 5, 2006, at 5:28 AM, Daniel McBrearty wrote: If you're talking about sql injection then presumably you could do this exactly the same as you would any other input field - use sql placeholders in a prepared query rather than blindly pasting untrusted input as sql. This is what I'm talking about. I don't know this technique - I thought the only approach was to filter input. I'm using DBIx, AFAIK it does use placeholders ... ? If so, I can just take input, do some basic sanity filtering, and store? Yes. It's something you should trust your ORM to get right, rather than doing things at the application level. Some databases don't really support placeholders, though, so the DBD drivers fake up support instead. I'm not sure whether I'd trust that quite as much, so it depends on the database you're using. Postgresql or Mysql should be fine, I've no idea about others. There can be a lot of other pain with dealing with i18n user data in the database, but sql injection problems shouldn't be one of them (well, they might be occasionally, but at the sort of level it's hard for anyone other than the DB and ORM developers to deal with). Cheers, Steve ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/ -- Daniel McBrearty email : danielmcbrearty at gmail.com www.engoi.com : the multi - language vocab trainer BTW : 0873928131 ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] model connect info to come from YAML configuration file
-- Brian Cassidy [EMAIL PROTECTED] wrote: Hermida, Leandro wrote: Inside MyApp::Model::MyAppDB: use strict; use base 'Catalyst::Model::DBIC::Schema'; __PACKAGE__-config( schema_class = 'MyAppDB', connect_info = [ 'dbi:SQLite:myapp.db', '', '', { AutoCommit = 1 }, ], ); Model::MyAppDB: schema_class: MyAppDB connect_info: - dbi:SQLite:myapp.db - '' - '' - AutoCommit: 1 -Brian If you like putting your database config info in the general config area, you might want to consider using 'myapp'_local.yaml for database and other config stuff that changes from box to box (if you are using the configloader plugin). That way you split up the configuration that is application and configuration that is part of your local setup. Configloader gives you quite a few options for this. You can even setup something like: myapp.yml myapp_dev.yml myapp_qa.yml mypp_prod.yml and use a environment variable to choose the postfix for the local configuration. Read more about it at: http://search.cpan.org/~bricas/Catalyst-Plugin-ConfigLoader-0.13/lib/Catalyst/Plugin/ConfigLoader.pm if you are interested. ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/ Any questions? Get answers on any topic at www.Answers.yahoo.com. Try it now. ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Re: Wikis
Does PHPWiki support creating tables without using html code? Yes. I've checked their site, but I haven't found that something like that could be done. Then you didn’t look for the text formatting rules. I have visited http://www.phpwiki.org/ and I have read the Text formatting rules sections, but I haven't seen anything about tables. Now I've read it again, and I still cannot find something about tables. Am I looking in a wrong place? Thanks. Teddy ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Coverage tests in Catalyst
Ian Docherty wrote: Is it possible to do coverage tests in a Catalyst application? If so how? I can't find any references that help. If you're using mod_perl, there is a brief section in the Devel::Cover man page that tells you how to do it. - Perrin ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/
[Catalyst] wiki of choice
Octavian Rasnita wrote: From: A. Pagaltzis [EMAIL PROTECTED] That just means noone has taken the time to groom the wiki. You don’t have to move things out of it to get it well organised. Without a gnome or two to look after them, wikis tend to devolve into an unnavigable mess. Regards, If we are talking about off topic subjects, would you mind if I also put a question regarding Wikis? What wiki do you recommend? (in perl or php) I have tried TWiki, but it has some bugs that I don't know how to solve. I like the MojoMojo wiki, which is a Catalyst application and will soon be powering the Catalyst website. The svn repository seems to no longer have DNS, though. (marcus?) -- package JAPH;use Catalyst qw/-Debug/;($;=JAPH)-config(name = do { $,.=reverse qw[Jonathan tsu rehton lre rekca Rockway][$_].[split //, ;$;]-[$_].q; ;for 1..4;$,=~s;^.;;;$,});$;-setup; ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] FastCGI External
Sébastien Wagener wrote: I have a Catalyst application that is running as an external FastCGI process. My Apache config looks like FastCgiExternalServer /tmp/myapp -socket /tmp/myapp.socket [...] Alias /myapp/ /tmp/myapp/ If I call http://localhost/myapp/user/login, Catalyst receives a request for login instead of user/login. (MyApp Log: GET request for login) If I'm understanding you correctly, the problem is that $c-base changes for each request. For myapp.com/foo, the base is /, but for myapp.com/foo/bar, it's foo. If that's the case, I solved the problem by putting the FastCgiExternalServer path inside the docroot and added a .fcgi extension to it: DocumentRoot /var/www/htdocs FastCgiExternalServer /var/www/htdocs/myapp.fcgi [-host|-socket] ... Alias / /var/www/htdocs/myapp.fcgi # etc. I think the .fcgi is required due to an implicit SetHandler fcgi-script somewhere. If you set it explicitly, you may have more freedom on naming. Hope this helps. -- package JAPH;use Catalyst qw/-Debug/;($;=JAPH)-config(name = do { $,.=reverse qw[Jonathan tsu rehton lre rekca Rockway][$_].[split //, ;$;]-[$_].q; ;for 1..4;$,=~s;^.;;;$,});$;-setup; ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Coverage tests in Catalyst
Ian Docherty wrote: Is it possible to do coverage tests in a Catalyst application? If so how? I can't find any references that help. Catalyst apps aren't special -- do coverage tests like you would with any other perl module: $ cover -delete $ HARNESS_PERL_SWITCHES=-MDevel::Cover make test $ cover If you want coverage and not test coverage (why?), then just do $ perl -MDevel::Cover myapp_server.pl request stuff $ cover Regards, Jonathan Rockway -- package JAPH;use Catalyst qw/-Debug/;($;=JAPH)-config(name = do { $,.=reverse qw[Jonathan tsu rehton lre rekca Rockway][$_].[split //, ;$;]-[$_].q; ;for 1..4;$,=~s;^.;;;$,});$;-setup; ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/
[Catalyst] Re: Wikis
* Octavian Rasnita [EMAIL PROTECTED] [2006-12-05 16:45]: I have visited http://www.phpwiki.org/ and I have read the Text formatting rules sections, but I haven't seen anything about tables. Hmm, it’s not mentioned indeed. Ah well, documentation was always PhpWiki’s weak point… along with generally glacial development and a nearly comatose community… sigh. It’s less annoying than many alternatives, but you wouldn’t know that just from looking at the site. Regards, -- Aristotle Pagaltzis // http://plasmasturm.org/ ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Re: Wikis
If you're just looking for something quick and easy, have you tried pmwiki (www.pmwiki.org)? It's just php and flat-files, it's dead simple to set up and there's loads of documentation. There's a full markup list (including tables) at http://www.pmwiki.org/wiki/PmWiki/MarkupMasterIndex Cxx On Tue, 5 Dec 2006, A. Pagaltzis wrote: * Octavian Rasnita [EMAIL PROTECTED] [2006-12-05 16:45]: I have visited http://www.phpwiki.org/ and I have read the Text formatting rules sections, but I haven't seen anything about tables. Hmm, it’s not mentioned indeed. Ah well, documentation was always PhpWiki’s weak point… along with generally glacial development and a nearly comatose community… sigh. It’s less annoying than many alternatives, but you wouldn’t know that just from looking at the site. Regards, ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Coverage tests in Catalyst
Don't we have to do both of these? Coverage of the 'make test' will only show coverage for those modules we can test 'statically' i.e. by making direct calls to the methods in the tests Tests that are done with LWP (or is it Mechanize) which are http requests to the application will probably be the bulk of the tests for a big application and these will not be caught by the first method but will by the second. I suppose I am asking if both these can be combined to give total coverage from the two techniques. Jonathan Rockway wrote: Ian Docherty wrote: Is it possible to do coverage tests in a Catalyst application? If so how? I can't find any references that help. Catalyst apps aren't special -- do coverage tests like you would with any other perl module: $ cover -delete $ HARNESS_PERL_SWITCHES=-MDevel::Cover make test $ cover If you want coverage and not test coverage (why?), then just do $ perl -MDevel::Cover myapp_server.pl request stuff $ cover Regards, Jonathan Rockway ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] {OT] protecting against attacks with multilingual input
Jonathan Rockway wrote: Nilson Santos Figueiredo Junior wrote: This way, everything will probably just work, even when the user has a on their names or any other weird characters. No, you can inject plenty of bad code without . You need to escape , , , , and '. Otherwise, consider footag bar=[% baz %] with baz = onload=alert('hello!'). This gets rendered as: footag bar= onload=alert('hello!' Oops. I call BS. Anyone who does: footag bar=[% baz %] instead of: footag bar=[% HTML.encode(baz) %] in that case deserves what they get*. *Yes, it depends on where $baz is getting set, who sets, it, and what it contains. -=Chris signature.asc Description: OpenPGP digital signature ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] {OT] protecting against attacks with multilingual input
On 12/5/06, Jonathan Rockway [EMAIL PROTECTED] wrote: Nilson Santos Figueiredo Junior wrote: This way, everything will probably just work, even when the user has a on their names or any other weird characters. No, you can inject plenty of bad code without . You need to escape , , , , and '. Quoting myself: ...everything will probably just work, even when the user has a on their names *or any other weird characters*. Specifically you could use TT's already existing html filter. Or even write your own. -Nilson Santos F. Jr. ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] question from tutorial - does creating HTML in a controller using HTML::Widget violate MVC?
Hermida, Leandro wrote: I thought the tutorial was absolutely great - things that I had in the past spent hours developing myself are practically plug and play and it gives you a nice taste of how powerful Catalyst is! One question about the tutorial though, doesn't building presentation material inside the controller using HTML::Widget so of break the MVC concept? After reading the Catalyst intro and about MVC I thought I wouldn't be writing anything HTML or presentation specific in the M or the C parts, only in the V which are the TT files. Do I have something wrong in my thinking? Nope, you're right, the form declarations belong to the view, HTML::Widget was an experiment and i wouldn't suggest using it anymore. There should be a TT plugin imo similar to the CGI.pm one, just sane. :) -- sebastian ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] question from tutorial - does creating HTML in a controller using HTML::Widget violate MVC?
Nilson Santos Figueiredo Junior wrote: c) write a TT plugin. [...] c is arguably clumsy and not practical at all. It can be really easy to add custom view code to TT templates. You can immediately load any class and just call it: [% USE MyView %] [% MyView.method(arg) %] If it supports a new() constructor, you can even have instances of it with different constructor args: [% USE two_column = View::MultiColumn(2) %] Or you can pass a sub ref to the stash with your data and just call it: [% sub_ref(arg) %] There's no need to do anything special for TT or make a plugin unless you want to do something that requires access to the TT internals. - Perrin ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] question from tutorial - does creating HTML in a controller using HTML::Widget violate MVC?
On 12/5/06 7:51 PM, Nilson Santos Figueiredo Junior wrote: On 12/5/06, Sebastian Riedel [EMAIL PROTECTED] wrote: HTML::Widget was an experiment and i wouldn't suggest using it anymore. There should be a TT plugin imo similar to the CGI.pm one, just sane. :) IMO, the real thing that's missing is Perl code layer between the controller and the template, i.e., the view should be composed by code + templates. If you don't do it this way you need to either a) put code which belongs to the view inside your controller, b) write large amounts of code in your templates using and reap *all* the great benefits that come along with large chunks of code written in TT language or c) write a TT plugin. What would this Perl code layer be responsible for doing? Can you give some examples? -John ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] question from tutorial - does creating HTML in a controller using HTML::Widget violate MVC?
On 12/5/06, Perrin Harkins [EMAIL PROTECTED] wrote: It can be really easy to add custom view code to TT templates. You can immediately load any class and just call it: [% USE MyView %] [% MyView.method(arg) %] Yes, but you'd need to manually use the correct class in every template and then call the appropriate method. This can be automated for the general case. Or you can pass a sub ref to the stash with your data and just call it: [% sub_ref(arg) %] Yes, but this sub ref would need to be created somewhere else, which would probably end up being at the controller, which is wrong. There's no need to do anything special for TT or make a plugin unless you want to do something that requires access to the TT internals. By plugin, I meant anything that is called Template::Plugin::* and can be USEd inside a template (since [% USE Module %] will map to Template::Plugin::Module). -Nilson Santos F. Jr. ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] question from tutorial - does creating HTML in a controller using HTML::Widget violate MVC?
Nilson Santos Figueiredo Junior wrote: On 12/5/06, Perrin Harkins [EMAIL PROTECTED] wrote: It can be really easy to add custom view code to TT templates. You can immediately load any class and just call it: [% USE MyView %] [% MyView.method(arg) %] Yes, but you'd need to manually use the correct class in every template and then call the appropriate method. This can be automated for the general case. You can just add it to your TT configuration, which is probably set in your view class. It's the PLUGINS option to Template-new(). Or you can pass a sub ref to the stash with your data and just call it: [% sub_ref(arg) %] Yes, but this sub ref would need to be created somewhere else, which would probably end up being at the controller, which is wrong. Or, again, you could do it in your view class. There's no need to do anything special for TT or make a plugin unless you want to do something that requires access to the TT internals. By plugin, I meant anything that is called Template::Plugin::* and can be USEd inside a template (since [% USE Module %] will map to Template::Plugin::Module). That's what I'm saying: it does not need to be called Template::Plugin:: or inherit from any Template module in order to use it this way. Check out the TT docs for the USE directive and the LOAD_PERL and PLUGIN_BASE config options for more details. - Perrin ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/