[dancer-users] Auto-serialising of parameters
Andrew Beverley
andy at andybev.com
Sat Mar 14 15:35:21 GMT 2015
Hi guys,
In the code for Dancer2::Plugin::Auth::Extensible I see the following:
# For security, ensure the username and password are straight
# scalars; if the app is using a serializer and we were sent a
# blob of JSON, they could have come from that JSON, and thus
# could be hashrefs (JSON SQL injection) - for database providers,
# feeding a carefully crafted hashref to the SQL builder could
# result in different SQL to what we'd expect.
That all makes sense. However, from what I understand, auto-serializing
now happens either for all request or for none. Therefore, are these
sort of checks required when running a recent version of Dancer2? Or is
it just the case that they should remain there in case an older version
of Dancer2 is being used?
Thanks,
Andy
More information about the dancer-users
mailing list