[dancer-users] Auto-serialising of parameters
andy at andybev.com
Sat Mar 14 15:35:21 GMT 2015
In the code for Dancer2::Plugin::Auth::Extensible I see the following:
# For security, ensure the username and password are straight
# scalars; if the app is using a serializer and we were sent a
# blob of JSON, they could have come from that JSON, and thus
# could be hashrefs (JSON SQL injection) - for database providers,
# feeding a carefully crafted hashref to the SQL builder could
# result in different SQL to what we'd expect.
That all makes sense. However, from what I understand, auto-serializing
now happens either for all request or for none. Therefore, are these
sort of checks required when running a recent version of Dancer2? Or is
it just the case that they should remain there in case an older version
of Dancer2 is being used?
More information about the dancer-users