I'm looking to implement a DBD driver with a library that
has no prepared statement support.  Having asked on its
developer list, they recommend using stored procedures
instead.

That means we lose the safety of passing in all user
input as data.  So in turn, we need to untaint it carefully.
I have a scheme for that, involving things like "%{regexp}s"
in a format string.  But this relies on constructing an
untainted list of args from a tainted one, then constructing
an SQL statement from the untainted arguments list.

Conceptually, I'm trying to do something like this:

char* safe_statement(apr_pool_t *pool, int nargs,
                     regex_t **taint, char *fmt, ...)
{
    va_list args;
    va_list newargs;
    va_start(args, fmt);
    for (i=0; i<nargs; i++) {
       char *val = va_arg(args, char*);
       char *newval = untaint(pool, taint[i], val);

       /* now conceptually set newargs[i] to newval */
    }
    va_end(args);

    /* now pass the new args list to a normal vararg function */

    return apr_pvsprintf(pool, fmt, newargs);
}

but how to construct a va_list eludes me (and the nearest google
comes is "you can do it by dereferencing args in MSVC++ but that
fails in gcc").

Is there a way to do this?

-- 
Nick Kew

Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/