apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Kew <n...@webthing.com>
Subject Untainting DBD input?
Date Sun, 10 Jun 2007 00:27:11 GMT

I've implemented (up to a point) an apr_dbd_freetds driver,
using freetds (http://www.freetds.org/) to support Microsoft
and Sybase SQL servers.

The FreeTDS library I used doesn't support prepared statements:
when I asked on the list they suggested using stored procedures
instead.  That means query inputs are not being fed to the
server as pure data, and need untainting.

I've implemented this in apr_dbd_freetds by extending the
prepared statement syntax to support parameters of the form
%{regexp}s (or %{regexp}123s to indicate also a size limit).
The regexp is then compiled, at config time, and applied in
the manner of Perl taint checking to incoming data.

I'm wondering whether the FreeTDS driver is the best place
for this, or whether it would be useful to generalise it to
support taint checking with other databases.  Any thoughts?


-- 
Nick Kew

Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/

Mime
View raw message