[dancer-users] Auto-serialising of parameters

Andrew Beverley andy at andybev.com
Sat Mar 14 15:35:21 GMT 2015

Hi guys,

In the code for Dancer2::Plugin::Auth::Extensible I see the following:

    # For security, ensure the username and password are straight
    # scalars; if the app is using a serializer and we were sent a
    # blob of JSON, they could have come from that JSON, and thus
    # could be hashrefs (JSON SQL injection) - for database providers,
    # feeding a carefully crafted hashref to the SQL builder could
    # result in different SQL to what we'd expect.

That all makes sense. However, from what I understand, auto-serializing
now happens either for all request or for none. Therefore, are these
sort of checks required when running a recent version of Dancer2? Or is
it just the case that they should remain there in case an older version
of Dancer2 is being used?



More information about the dancer-users mailing list