You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@apr.apache.org by Nick Kew <ni...@webthing.com> on 2007/06/10 02:27:11 UTC

Untainting DBD input?

I've implemented (up to a point) an apr_dbd_freetds driver,
using freetds (http://www.freetds.org/) to support Microsoft
and Sybase SQL servers.

The FreeTDS library I used doesn't support prepared statements:
when I asked on the list they suggested using stored procedures
instead.  That means query inputs are not being fed to the
server as pure data, and need untainting.

I've implemented this in apr_dbd_freetds by extending the
prepared statement syntax to support parameters of the form
%{regexp}s (or %{regexp}123s to indicate also a size limit).
The regexp is then compiled, at config time, and applied in
the manner of Perl taint checking to incoming data.

I'm wondering whether the FreeTDS driver is the best place
for this, or whether it would be useful to generalise it to
support taint checking with other databases.  Any thoughts?


-- 
Nick Kew

Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/

Re: Untainting DBD input?

Posted by Nick Kew <ni...@webthing.com>.

On Sun, 10 Jun 2007 01:27:11 +0100
Nick Kew <ni...@webthing.com> wrote:

> I've implemented this in apr_dbd_freetds by extending the
> prepared statement syntax to support parameters of the form
> %{regexp}s (or %{regexp}123s to indicate also a size limit).
> The regexp is then compiled, at config time, and applied in
> the manner of Perl taint checking to incoming data.

Of course, I meant the regexps are compiled in apr_dbd_prepare.

Doh!

-- 
Nick Kew

Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/