You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ni...@apache.org on 2008/04/22 03:07:45 UTC

svn commit: r650339 - /httpd/httpd/trunk/docs/manual/mod/mod_dbd.xml

Author: niq
Date: Mon Apr 21 18:07:42 2008
New Revision: 650339

URL: http://svn.apache.org/viewvc?rev=650339&view=rev
Log:
Document DBD taint checking and its necessity.

Modified:
    httpd/httpd/trunk/docs/manual/mod/mod_dbd.xml

Modified: httpd/httpd/trunk/docs/manual/mod/mod_dbd.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_dbd.xml?rev=650339&r1=650338&r2=650339&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_dbd.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_dbd.xml Mon Apr 21 18:07:42 2008
@@ -114,6 +114,38 @@
     or to provide their own directives and use <code>ap_dbd_prepare</code>.</p>
 </section>
 
+<section id="security">
+<title>SECURITY WARNING</title>
+    <p>Any web/database application needs to secure itself against SQL
+    injection attacks.  In most cases, Apache DBD is safe, because
+    applications use prepared statements, and untrusted inputs are
+    only ever used as data.  Of course, if you use it via third-party
+    modules, you should ascertain what precautions they may require.</p>
+    <p>However, the <var>FreeTDS</var> driver is inherently
+    <strong>unsafe</strong>.  The underlying library doesn't support
+    prepared statements, so the driver emulates them, and the
+    untrusted input is merged into the SQL statement.</p>
+    <p>It can be made safe by <em>untainting</em> all inputs:
+    a process inspired by Perl's taint checking.  Each input
+    is matched against a regexp, and only the match is used.
+    To use this, the untainting regexps must be included in the
+    prepared statements configured.  The regexp follows immediately
+    after the % in the prepared statement, and is enclosed in
+    curly brackets {}.  For example, if your application expects
+    alphanumeric input, you can use:</p>
+    <example>
+       <code>"SELECT foo FROM bar WHERE input = %s"</code>
+    </example>
+    <p>with other drivers, and suffer nothing worse than a failed query.
+    But with FreeTDS you'd need:</p>
+    <example>
+       <code>"SELECT foo FROM bar WHERE input = %{([A-Za-z0-9]+)}s"</code>
+    </example>
+    <p>Now anything that doesn't match the regexp's $1 match is
+    discarded, so the statement is safe.</p>
+    <p>An alternative to this may be the third-party ODBC driver,
+    which offers the security of genuine prepared statements.</p>
+</section>
 <directivesynopsis>
 <name>DBDriver</name>
 <description>Specify an SQL driver</description>