Hi, -- Bill Moseley <[EMAIL PROTECTED]> wrote:
I only scanned the report, but lots of interesting bits in there. The two PHP teams used the same framework (and not sure about the third, but perhaps similar), where the Perl and Java teams had a wider range of frameworks. Might explain why the PHP teams had seemingly similar results.
The Zend team had to use the Zend Framework. The Oxid Team (the winner team from PHP) wrote everything from scratch. And for the 3rd I am not sure, should be written in the report ;-) ...
I found it odd that the Perl frameworks had the SQL injection problems. Most probably expected PHP to be weak there -- just goes to show how much bad PHP everyone is used to seeing.
The Problem is here:If there is an "internal server error" this is seen as "broken" and "perhaps SQL injection possible". If wrong inputs are rejected, it is voted as "OK".
This tests were made without looking into the source.After some protest the wording is a little bit friendlier for the teams with "internal server error".
I looked into the code of the Perl teams: They use all an ORM wrapper (DBIx::Class or DBIx::DataModel), which should be safe.
But each team uses plain SQL in at least one query. Team 2 uses bind parameters and this is safe. Team 1 uses variables in SQL, but it seems to me that the values are clean.
Team 5 uses in one file a lot of SQL statements, and NO bind varibales. It seems to me (!) that they get the unfiltered data and inclde it in SQL. Uuups!
Ciao Alvar (Perl Platform Representative in this contest) -- ** Alvar C.H. Freude, http://alvar.a-blast.org/ ** http://www.assoziations-blaster.de/ ** http://www.wen-waehlen.de/ ** http://odem.org/
pgpJf4NY95iUV.pgp
Description: PGP signature
_______________________________________________ List: [email protected] Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/[email protected]/ Dev site: http://dev.catalyst.perl.org/
