You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Rob Hartill <ro...@imdb.com> on 1996/06/10 19:13:59 UTC

Comments on 1.1b3 mod_auth_msql.c file (fwd)

not acked.
pick off whatever takes your fancy.



Message-Id: <19...@kci.kciLink.com>
To: Apache Bugs <ap...@mail.apache.org>
Subject: Comments on 1.1b3 mod_auth_msql.c file
Date: Mon, 10 Jun 1996 13:11:20 -0400
From: Vivek Khera <kh...@kci.kciLink.com>

Hi there.  I just put up Apache 1.1b3 and have some comments.

First, the imagemap problem I reported about my USA map identifying the wrong
state is fixed.  Thanks.

Second, I looked over the "merged" mod_auth_msql.c file which combines my
original version with the new version you intend on distributing.  I'm not
very confident in the version you distribute.  I cannot believe that all
functionality in that version has been tested.

For example, the code to test if a user is in the database only once tests the
number of COLUMNS returned by the SQL query, not the number of ROWS.  This is
obviously wrong, as the number of columns is *always* one.  In any case,
supporting a db which allows for multiple password entries for the same person
is just asking for trouble -- it violates good relational table design, too.

The code that tests for authorization duplicates lots of effort, too.  There
is no need for the msql_check_auth() function to test for the valid users.
That's already done for you.  It only needs to test the individual groups.
The way it does that requires one SQL query *per group* listed in the access
control file.  This is quite inefficient if you allow multiple groups to
access a given directory.  My version of mod_auth_msql.c does all groups in
one query to the server -- the merged version you are distributing wasn't
based on the latest version of my code which does groups very efficiently.

The only feature currently available in the distributed version not in mine is
the ability to ignore the actual password.  This is easily added to my code,
and I'll do it if you would rather distribute well-tested code that doesn't
support improper database design.

Not do keep beating a dead horse, but I still haven't heard why you aren't
using the mod_auth_msql.c that has been on your contrib site since the contrib
site was created.  It will cause *LOTS* of confusion for people who are using
that version, even with this merged code.  I personally don't trust the new
code since it is obvious it hasn't been tested completely as outlined above.

Thanks for your attention.

								v.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Vivek Khera, Ph.D.                        Khera Communications, Inc.
Internet: khera@kciLink.com               Rockville, MD       +1-301-258-8292
PGP/RIPEM/MIME spoken here                http://www.kciLink.com/home/khera/
----- End of forwarded message from Vivek Khera -----

-- 
Rob Hartill (robh@imdb.com)
The Internet Movie Database (IMDb)  http://www.imdb.com/
           ...more movie info than you can poke a stick at.