YAPC::NA 2007

June 25-27, Houston, TX

EscapeCage: escape strings and prevent injection attacks

EscapeCage: escape strings and prevent injection attacks

By Mark P Sullivan from NY.pm
Lightning talk
Language:


The EscapeCage module puts dangerous strings in a cage, easing their escaping to various encodings and preventing injection attacks. If an application cages all user-supplied strings, then a run-time exception will prevent application code from accidentally allowing an SQL, shell, cross-site scripting, etc injection attack. EscapeCage's paranoia can be adjusted for development. The concept is similar to "tainted" data, but is implemented by "overload"ing the '""' stringify method on blessed scalar references.