If you read closely (p43), re SQL injection : "We record any failures to process our inputs appropriately as broken only, i.e., when an exception is raised that stems directly from the SQL processing rather than the application logic. We record a solution as correct if it processes acceptable inputs correctly and rejects inacceptable inputs with an error message produced under proper control of the application. Note that in this approach, an application flagged as broken may actually be acceptable (in particular: secure), but it is impossible to be sure from the outside so we take a conservative approach."
I'd guess that they got a cat exception passed up from DBIx::Class, and classified that as broken, basically because the team didn't actually catch the error. But even so, the db itself would have been safe. On 6/20/07, Bill Moseley <[EMAIL PROTECTED]> wrote:
On Wed, Jun 20, 2007 at 06:35:31PM +0200, Daniel McBrearty wrote: > hate to admit it, but perl took a hammering in terms of the > completeness of solutions thing, maybe the most important metric. see > the charts on page 13. SOAP slowed 'em down, it seems. I only scanned the report, but lots of interesting bits in there. The two PHP teams used the same framework (and not sure about the third, but perhaps similar), where the Perl and Java teams had a wider range of frameworks. Might explain why the PHP teams had seemingly similar results. I found it odd that the Perl frameworks had the SQL injection problems. Most probably expected PHP to be weak there -- just goes to show how much bad PHP everyone is used to seeing. Overall, seems like a lot of mixed results -- too much variability to draw any concrete conclusions. Not that that will stop the camps from using the report to support their claims of superiority. ;) -- Bill Moseley [EMAIL PROTECTED] _______________________________________________ List: [email protected] Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/[email protected]/ Dev site: http://dev.catalyst.perl.org/
-- Daniel McBrearty email : danielmcbrearty at gmail.com www.engoi.com danmcb.vox.com danmcb.blogger.com BTW : 0873928131 _______________________________________________ List: [email protected] Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/[email protected]/ Dev site: http://dev.catalyst.perl.org/
