On Thu, 2007-12-13 at 23:02 +0000, Ash Berlin wrote:
> > # 2
> > my $user = $rs->create({
> > is_admin => 0,
> > username => $c->req->param('username'),
> > });
>
> This comes under "never interpolate *anything* from the user into SQL."
Well, you have to get data into the database somehow. It goes without
saying that the $rs->create call validates the data.
The issue here is using param(), which returns *a list* in list context.
The thing that => points to is not coerced to scalar context. So in
this case you're hoping the list only has one element, but you're not
guaranteeing this in any way. Consider a query string like
username=foo&username=is_admin&username=1.
Here,
{ username => $req->params('username') }
would be the same as
{ username => qw/foo is_admin 1/ }
A common mistake.
This is very subtle and it's probably a security hole lurking in many,
many apps.
Regards,
Jonathan Rockway
signature.asc
Description: This is a digitally signed message part
_______________________________________________ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/[EMAIL PROTECTED]/ Dev site: http://dev.catalyst.perl.org/
