Security
From Cyclone3 Wiki
Security functions
Execute SQL query and don't allow to execute more than one query
TOM::Database::SQL::execute(qq{SELECT * ...});
Escape SQL variable
$value="'".TOM::Security::form::sql_escape($value)."'";
Bind SQL variables
TOM::Database::SQL::execute(qq{
SELECT ID
FROM a401_article
WHERE ID_entity = ?
},'bind'=>[$ID_entity])
Check input variables in service type
<CHECK_FORM ...> calls: TOM::Security::form::check_form(...)
Reject input variables in service type
<CONF_VAR id="FORM_reject" value="variable;variable2" />
Secure variable replacement in templates
$file_data=TOM::Utils::vars::replace_sec( $file_data, 'notallow'=>['<MODULE','<VAR id'] );
Clean up direct form variables output in XSGN before module executes:
<input type="text" value="<@hive><$main::FORM{'field'}></@hive>">
or in html code to remove all tags
<span><#@html2text><$main::FORM{'input'}></#@html2text></span>
Clean up direct form variables output in XSGN after module fills data:
<input type="text" value="<#@hive><%db_value%></#@hive>">
Encoding/decoding variables sending over URL
in html code:
<a href="?|?variable=value&variable2=value2">link</a>
in domain service configuration:
$TOM::type_code=1;
function called to encode URL:
my $variables="variable=value&variable2=value2"; my $code=TOM::Net::URI::URL::hash_encode($variables);
