Mostly I've placed it immediately beneath the use statements. It seems the most logical place. Ovid says to use them before you create a new CGI object. I don't know when CGI::Application does this, though my guess is that C::A doesn't create a CGI object until a query is requested. I do know that if used too late, the statements can't provide the intended protection. | [reply] |
I do know that if used too late, the statements can't provide the intended protection.
So, create a test that sees if the protection is there, verify that the test works by not having those statements, then put them in various places until you see the desired results.
A neat side-benefit is that if you incorporate that test into your test-suite, you have a good security-related test for future reference.
------
We are the carpenters and bricklayers of the Information Age.
Then there are Damian modules.... *sigh* ... that's not about being less-lazy -- that's about being on some really good drugs -- you know, there is no spoon. - flyingmoose
I shouldn't have to say this, but any code, unless otherwise stated, is untested
| [reply] |