On 12/13/07, Jonathan Rockway <[EMAIL PROTECTED]> wrote:
>
>
> Be mindful of these cases, though:
>
> # 2
> my $user = $rs->create({
> is_admin => 0,
> username => $c->req->param('username'),
> });
Are you sure about this one? I just tested this with DBI_TRACE, and it does
appear to use bind variables when generating the INSERT statement. I tried
tripping it up with SQL injections, tossing in quotes, semicolons, etc, and
it always handled it gracefully, as it should when properly using binds.
_______________________________________________
List: [email protected]
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/[EMAIL PROTECTED]/
Dev site: http://dev.catalyst.perl.org/
