Re: [Catalyst] Strange Problem: gb2312 showed incorrect in mod_perl, but correct in developer server
Apache might force the encoding of specific mime types. Check the apache config and look for the content type View::JSON generates. cheers, moritz Am 02.06.2008 um 18:39 schrieb J. Shirley: 2008/6/1 cui robin [EMAIL PROTECTED]: 2008/6/2 J. Shirley [EMAIL PROTECTED]: 2008/6/1 cui robin [EMAIL PROTECTED]: Hi, When a page loaded in firefox, then it will send a ajax request to get data in json format. Some gb2312 words is in the json data. When catalyst is started by /home/robin/CBS/script/cbs_server.pl, the data got by client is same as the data i print on the screen by $c-log-debug(). It's showed corrected in firefox client or ie client. But when catalyst is running by apache mod_perl, the data got by client is different from the data i print on the screen by $c-log- debug().It's showed incorrected. A chinese world in gb2312 charset have 2 bytes. what I found in the client is that: 2 bytes of a chinese word was splited, and a octal byte \303 or \302 was added before every byte. So showed incorrect in client. Anyone meet the same problem when using mod_perl? Thanks! Robincui How are you generating the JSON? We had a similar circumstance (although our production server would also exhibit failures under the built-in server) because of varying JSON.pm versions. Make sure you use a JSON module that properly understands unicode. I try to use Catalyst::View::JSON wherever possibly, and if it isn't then JSON::XS::encode_json( $perlref ) works the most reliably. -J I use standard JSON module [use JSON;] from cpan,version is 2.07. code like below: my $json = new JSON; $json-canonical(1); my $response = $json-encode($var); But i think the problem is nothing to do with JSON, for some points like below: 1. The problem will not occur when I use catalyst's built-in server 2. After JSON module convert a hash to JSON data, I use $c-log- debug output to screen, I saw it was correct. I think the problem occur when apache (mod_perl) send data to client. the data was modified. But I don't kown why? Some code like below: my $jsResponse = $ajaxRequest-{response} . \n $callback_function; $c-log-debug(JS Response:\n$jsResponse); # the showed on the screen is correct; $c-response-content_type('text/html; charset=GB2312'); $c-response-body($jsResponse); The mod_perl,apache,perl version like below: [Mon Jun 02 12:28:31 2008] [notice] Apache/2.0.55 (Unix) PHP/5.2.3 mod_perl/2.0.3 Perl/v5.8.8 configured -- resuming normal operations Any other solution? Use Firebug, or related tools, and send the request and response headers outside of mod_perl as the browser sees them. That will help gather prudent information ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/ ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] untainting utf8 text for db
On 5 Jun 2008, at 19:05, Daniel McBrearty wrote: database contains text fields which can be in any language and contain any text and punctuation 1. I am getting params back via a web form to create new records. What do I do to validate input (apart from length check)? 2. I want to take a param and do a like(%$param%) search returning matching records. How do I protect this? You mean foo LIKE '%$param%' and its done by $rs-search({ col = { -like = %$param% } }) -ash ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] untainting utf8 text for db
yes, that's what I meant. but does using the DBIx::Class construct sanitise, provide safety and prevent unwanted babies though? IIRC it does for creating records. On Thu, Jun 5, 2008 at 8:10 PM, Ash Berlin [EMAIL PROTECTED] wrote: On 5 Jun 2008, at 19:05, Daniel McBrearty wrote: database contains text fields which can be in any language and contain any text and punctuation 1. I am getting params back via a web form to create new records. What do I do to validate input (apart from length check)? 2. I want to take a param and do a like(%$param%) search returning matching records. How do I protect this? You mean foo LIKE '%$param%' and its done by $rs-search({ col = { -like = %$param% } }) -ash ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/ -- Daniel McBrearty email : danielmcbrearty at gmail.com http://www.engoi.com http://danmcb.vox.com http://danmcb.blogger.com find me on linkedin and facebook BTW : 0873928131 ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
RE: [Catalyst] untainting utf8 text for db
I inquired about this myself a few months ago. Consensus if I remember correctly was that DBIC gives you some safety in that it uses place holders but that does not mean your protected fully from bad input or malicious abuse of that parameter. I personally like having input meet specific requirements and if doesn't meet them then just reject it. But that does not always fly especially if you HAVE to be flexible. Another approach is rejecting input if it has characters or data that you know you don't want or expect things like , %, (, ), \, /, ?, `, *, +, just as some examples. I think its better to be more strict with input than less strict especially if its public facing. If its internal then its different story. Thanks, -- Ali Mesdaq (CISSP, GIAC-GREM) Security Researcher II Websense Security Labs http://www.WebsenseSecurityLabs.com -- -Original Message- From: Daniel McBrearty [mailto:[EMAIL PROTECTED] Sent: Thursday, June 05, 2008 11:22 AM To: The elegant MVC web framework Subject: Re: [Catalyst] untainting utf8 text for db yes, that's what I meant. but does using the DBIx::Class construct sanitise, provide safety and prevent unwanted babies though? IIRC it does for creating records. On Thu, Jun 5, 2008 at 8:10 PM, Ash Berlin [EMAIL PROTECTED] wrote: On 5 Jun 2008, at 19:05, Daniel McBrearty wrote: database contains text fields which can be in any language and contain any text and punctuation 1. I am getting params back via a web form to create new records. What do I do to validate input (apart from length check)? 2. I want to take a param and do a like(%$param%) search returning matching records. How do I protect this? You mean foo LIKE '%$param%' and its done by $rs-search({ col = { -like = %$param% } }) -ash ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/ -- Daniel McBrearty email : danielmcbrearty at gmail.com http://www.engoi.com http://danmcb.vox.com http://danmcb.blogger.com find me on linkedin and facebook BTW : 0873928131 ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/ Protected by Websense Messaging Security -- www.websense.com ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/