Re: [Catalyst] {OT] protecting against attacks with multilingual input

Tue, 05 Dec 2006 06:22:33 -0800 

thanks people, this is very helpful. Well, everything is postgresql /
linux, so MSSQL will never be an issue.

Also I only ever use utf8 ... so I guess I'm home and dry. It would be
very neat to be able to do this without locale-switching (and
installing).

as a matter of interest, does anyone have a reference on why
placeholders protect against injection attacks ? If that is the case,
maybe I can even leave out \w filtering where that is appropriate to
do that.

thanks!

D

On 12/5/06, Brandon Black <[EMAIL PROTECTED]> wrote:

On 12/5/06, Daniel McBrearty <[EMAIL PROTECTED]> wrote:

> This is what I'm talking about. I don't know this technique - I
> thought the only approach was to filter input. I'm using DBIx, AFAIK
> it does use placeholders ... ? If so, I can just take input, do some
> basic "sanity" filtering, and store?
>

Yes, DBIC does use placeholders in most situations.  However, the
NoBindVars-based Storage classes do not.  This includes the notable
example of MSSQL via DBD::Sybase, which uses NoBindVars to work around
issues with FreeTDS and/or DBD::Sybase.  The only really good way to
fix this is to fix the DBD's or underlying DB libraries to properly
support bind variables in all cases.

> Phaylon : sure. A simple example would be, say, a multilingual web
> forum. A text field would have a size limit, but other than that most
> any utf8 character could be input.

If your encoding is utf-8, you'll read in the perl i18n/l10n docs that
UTF-8 has universal definitions for \w, \W, etc.  Thus you don't
really even need to know the language to safely validate for word vs
non-word chars, just the encoding.

-- Brandon

_______________________________________________
List: Catalyst@lists.rawmode.org
Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/
Dev site: http://dev.catalyst.perl.org/




--
Daniel McBrearty
email : danielmcbrearty at gmail.com
www.engoi.com : the multi - language vocab trainer
BTW : 0873928131

_______________________________________________
List: Catalyst@lists.rawmode.org
Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/
Dev site: http://dev.catalyst.perl.org/

Reply via email to