[cgiapp] Re: LinkIntegrity vs ValidateQuery plugin?
Mark Stosberg
mark at summersault.com
Thu Apr 16 21:06:56 EDT 2009
On Tue, 14 Apr 2009 11:17:44 -0400
Michael Peters <mpeters at plusthree.com> wrote:
> Mark Stosberg wrote:
>
> > Anyone here using LinkIntegrity? How are you doing lightweight query
> > validation?
>
> To be honest, I don't do lightweight query validation. For projects that I work
> on I normally just have 1 validation framework (based on D::FV) and any place
> that's important enough to validate I just use the same framework.
>
> Also, I normally don't care about users changing links and getting ISE's, I
> consider that their own fault. And if by changing a URL they can see something
> they aren't supposed to see, I consider that a security design flaw and usually
> fixed a different way.
For our major application, an internal server error would cause a
"CRITICAL" log entry to added, and our use of "swatch" would notice that
and e-mail the dev team, as well as a manager. We like the keep the
application running free of unknown server errors. If we validate the
query and then determine it was insufficient or invalid, than we can
know that the case should not be "not our fault" and we'll log at a
lower level. (Of course, it could be our fault if we generated a bad
link to our own application, but other kinds of testing could detect
that.)
I think if lightweight query validation was easier, it would be done
more.
I'll say though, I there is a common case where run modes need to
validate the existence of exactly one ID and that's easy enough without
any special framework:
unless ($self->query->param('widget_id')) {
return $self->error(
title => 'Insufficient Information',
msg => 'Insufficient information was received to build this
page.',
);
}
Another approach I've used to make applications more robust is simply
pass fewer arguments. For example, it may be convenient to pass two
arguments, but can one be derived for the other? For example, given a
photo_id, can I determine which pet_id it must belong to?
Mark
--
http://mark.stosberg.com/
More information about the cgiapp
mailing list