Hi,

After much frustration I was able to get apr_dbd_mysql compiled and working on my machine. However, when testing the module I believe I stumbled across a nasty little bug. My user database was originally designed to store user passwords as md5 hashes and not the base64 encoded SHA1 digest. To remedy this I created a new column int he user table called pwd2 and  modified my login routine to populate this column with the encrypted format apache's basic auth is expecting. This requires everyone to logout and log back in to the system, of course, but in my environment that's OK. My initial apache config to secure this section of the site with basic auth set the AuthDBDUserPWQuery to "SELECT pwd2 FROM users WHERE email=%s AND active=1". This worked and prevented invalid users (and inactive users) from authenticating, but if the pwd2 field was empty then any password would succeed. If pwd2 was NULL then the user was rejected, and if pwd2 had a string in it the user was rejected (excepting, of course, when pwd2 had the proper encrypted content).

This has got to be a bug in the apr_dbd_mysql code, but I unfortunately don't have time right now to track it down and provide a patch. To solve my problem I changed my query to "SELECT pwd2 FROM users WHERE email=%s AND active=1 AND pwd2 !=''" but this is an ugly hack. Where is the bugzilla to file this?

-Scott