Cyclone3 Skin

Security

From Cyclone3 Wiki

Security functions

Execute SQL query and don't allow to execute more than one query

TOM::Database::SQL::execute(qq{SELECT * ...});

Escape SQL variable

$value="'".TOM::Security::form::sql_escape($value)."'";

Bind SQL variables

TOM::Database::SQL::execute(qq{
   SELECT ID
   FROM a401_article
   WHERE ID_entity = ?
},'bind'=>[$ID_entity])

Check input variables in service type

<CHECK_FORM ...> calls:
TOM::Security::form::check_form(...)

Reject input variables in service type

<CONF_VAR id="FORM_reject" value="variable;variable2" />

Secure variable replacement in templates

$file_data=TOM::Utils::vars::replace_sec(
   $file_data,
   'notallow'=>['<MODULE','<VAR id']
);

Clean up direct form variables output in XSGN before module executes:

<input type="text" value="<@hive><$main::FORM{'field'}></@hive>">

or in html code to remove all tags

<span><#@html2text><$main::FORM{'input'}></#@html2text></span>

Clean up direct form variables output in XSGN after module fills data:

<input type="text" value="<#@hive><%db_value%></#@hive>">

Encoding/decoding variables sending over URL

in html code:

<a href="?|?variable=value&variable2=value2">link</a>

in domain service configuration:

$TOM::type_code=1;

function called to encode URL:

my $variables="variable=value&variable2=value2";
my $code=TOM::Net::URI::URL::hash_encode($variables);