httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <>
Subject Re: Extending mod_authz_dbd
Date Wed, 15 Apr 2015 09:17:04 GMT
On 14 Apr 2015, at 7:38 PM, Jose Kahan <> wrote:

> require sql-query "SELECT * FROM foo WHERE user=${REMOTE_USER} 
>                   AND uri=${REQUEST_URI} AND ${REQUEST_METHOD} in
> 	           ('GET', 'POST')"
> While browsing for information regarding this point, I only
> found people asking if this was possible, but no hints if there
> had been (or will be) plans to do this.
> The defunct mod_auth_mysql used to propose something similar. i
> This module is not officially maintained anymore.
> A possible point of confusion in the module's doc [1] is the 
> phrase saying 
>  "Since v2.4.8, expressions are supported within the DBD 
>   require directives.”


The limitations we’d have to work with is that all the queries are prepared statements,
and are reused for multiple requests. At the same time any query that is interpreted purely
as a string would need to be protected against SQL injection.

One possible way of approaching this would be to extend the dbd-login and dbd-logout require
directives with optional expression parameters, which can then be referred to in the prepared
statement, so you could do this:

  AuthzDBDQuery "UPDATE authn SET uri = %s, method = %s WHERE user = %s”

  Require dbd-logout %{TIME} %{REMOTE_USER}
  AuthzDBDQuery "UPDATE authn SET logout_time = %s WHERE user = %s”

To be backwards compatible, "Require dbd-login” on it’s own would imply "Require dbd-login

One possible approach to support completely generic queries might be as follows:

  Require dbd-query %{REQUEST_URI} %{REMOTE_USER}
  AuthzDBDQuery “SELECT count(user) FROM authn WHERE uri=%s AND user = %s”

The bit above where you’d limit the requests to GET or POST you’d probably do with Limit
or LimitExcept.


View raw message