You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@apr.apache.org by Stefan Fritsch <sf...@sfritsch.de> on 2012/09/07 22:03:17 UTC
Re: apr_dbd_freetds
On Wednesday 22 August 2012, Graham Leggett wrote:
> On 22 Aug 2012, at 7:18 PM, Nick Kew wrote:
> > PR 53666 tells us apr_dbd_freetds doesn't work with Sybase,
> > and very probably never did. The reporter attaches a patch,
> > but it's one I'm not happy with, even if I had access to any
> > FreeTDS backend to test-drive (which I don't). The basic
> > objection is that FreeTDS doesn't support prepared statements,
> > and the emulation in the driver opens big security issues.
> >
> > We've had a bit of a thread on the subject on dev@httpd.
> >
> > Is anyone in a position to take up the baton on FreeTDS?
> >
> > If not, perhaps it's time we dropped that driver in favour
> > of the ODBC one.
>
> Am I right in understanding that a user of the freetds driver could
> realistically use the ODBC driver instead? (I am assuming this is
> Windows).
>
> If so, I would be in favour of deprecating the freetds driver and
> dropping the driver in v2.0, as a driver that doesn't support
> prepared statements suffers higher security risks.
I think the FreeTDS driver should either emulate prepared statements
by using a known secure escaping function from FreeTDS. If that does
not exist, it should be removed.
Also, apr_dbd_escape currently returns the unchanged string for
FreeTDS. I would be more comfortable if it returned NULL (or if there
was a way to return ENOTIMPL).