Re: apr_dbd_freetds

[Stefan Fritsch <sf...@sfritsch.de>]

On Wednesday 22 August 2012, Graham Leggett wrote:
> On 22 Aug 2012, at 7:18 PM, Nick Kew wrote:
> > PR 53666 tells us apr_dbd_freetds doesn't work with Sybase,
> > and very probably never did.  The reporter attaches a patch,
> > but it's one I'm not happy with, even if I had access to any
> > FreeTDS backend to test-drive (which I don't).  The basic
> > objection is that FreeTDS doesn't support prepared statements,
> > and the emulation in the driver opens big security issues.
> > 
> > We've had a bit of a thread on the subject on dev@httpd.
> > 
> > Is anyone in a position to take up the baton on FreeTDS?
> > 
> > If not, perhaps it's time we dropped that driver in favour
> > of the ODBC one.
> 
> Am I right in understanding that a user of the freetds driver could
> realistically use the ODBC driver instead? (I am assuming this is
> Windows).
> 
> If so, I would be in favour of deprecating the freetds driver and
> dropping the driver in v2.0, as a driver that doesn't support
> prepared statements suffers higher security risks.

I think the FreeTDS driver should either emulate prepared statements 
by using a known secure escaping function from FreeTDS. If that does 
not exist, it should be removed.

Also, apr_dbd_escape currently returns the unchanged string for 
FreeTDS. I would be more comfortable if it returned NULL (or if there 
was a way to return ENOTIMPL).