I'll never forget the hours I spent discovering that mysql needs some little-documented command on connect, even though all tables are declared as UTF8 ... one of the factors that decided me on postgresql for the next version.
In the first implementation of engoi, I was pretty paranoid about these things - there is some fairly draconian filtering going on. However, if I can relax and let people use usernames and passwords in their own character sets for the future, that would be a nice change to make. It *is* supposed to be multilingual, after all ... many thanks for the help. On 12/5/06, Steve Atkins <[EMAIL PROTECTED]> wrote:
On Dec 5, 2006, at 5:28 AM, Daniel McBrearty wrote: >> >> If you're talking about sql injection then presumably you could do >> this exactly the same as you would any other input field - use sql >> placeholders in a prepared query rather than blindly pasting >> untrusted input as sql. >> > > This is what I'm talking about. I don't know this technique - I > thought the only approach was to filter input. I'm using DBIx, AFAIK > it does use placeholders ... ? If so, I can just take input, do some > basic "sanity" filtering, and store? Yes. It's something you should trust your ORM to get right, rather than doing things at the application level. Some databases don't really support placeholders, though, so the DBD drivers fake up support instead. I'm not sure whether I'd trust that quite as much, so it depends on the database you're using. Postgresql or Mysql should be fine, I've no idea about others. There can be a lot of other pain with dealing with i18n user data in the database, but sql injection problems shouldn't be one of them (well, they might be occasionally, but at the sort of level it's hard for anyone other than the DB and ORM developers to deal with). Cheers, Steve _______________________________________________ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/
-- Daniel McBrearty email : danielmcbrearty at gmail.com www.engoi.com : the multi - language vocab trainer BTW : 0873928131 _______________________________________________ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/
