Home : Documentation : DBIx::Recordset
Google Web perl.apache.org

 
Home
 
Features
 
Introduction
 
Documentation
 
README
 
README.v2
 
Configuration
 
Embperl
 
Embperl::Object
 
Embperl::Form::Validate
 
Embperl::Syntax
 
Embperl::Recipe
 
Embperl::Mail
 
1.3.6 documentation
 
DBIx::Recordset
 
Installation
 
Download
 
Support
 
Changes
 
Wiki
 
More infos
 
Add info about Embperl
 
Login

    Stable 2.4.0
    Beta 2.5.0_3
Support the development of Embperl! More...
SECURITY
[ << Prev: DEBUGGING ] [ Content ] [ Next: Compatibility with different DBD drivers >> ]

Since one possible application of DBIx::Recordset is its use in a web-server environment, some attention should paid to security issues.

The current version of DBIx::Recordset does not include extended security management, but some features can be used to make your database access safer. (More security features will come in future releases.)

First of all, use the security feature of your database. Assign the web server process as few rights as possible.

The greatest security risk is when you feed DBIx::Recordset a hash which contains the formfield data posted to the web server. Somebody who knows DBIx::Recordset can post other parameters than those you would expect a normal user to post. For this reason, a primary issue is to override all parameters which should never be posted by your script.

Example: *set = DBIx::Recordset -> Search ({%fdat, ('!DataSource' => "dbi:$Driver:$DB", '!Table' => "$Table")}) ;

(assuming your posted form data is in %fdat). The above call will make sure that nobody from outside can override the values supplied by $Driver, $DB and $Table.

It is also wise to initialize your objects by supplying parameters which can not be changed.

Somewhere in your script startup (or at server startup time) add a setup call:

 *set = DBIx::Recordset-> Setup ({'!DataSource'  =>  "dbi:$Driver:$DB",
			                        '!Table'	  =>  "$Table",
			                        '!Fields'	  =>  "a, b, c"}) ;

Later, when you process a request you can write:

 $set -> Search (\%fdat) ;

This will make sure that only the database specified by $Driver, $DB, the table specified by $Table and the Fields a, b, and c can be accessed.


[ << Prev: DEBUGGING ] [ Content ] [ Next: Compatibility with different DBD drivers >> ]

© 1997-2012 Gerald Richter / ecos gmbh