From: Vincent Deffontaines <gryzor@apache.org>
Date: Tue, 1 Jan 2013 11:57:08 +0000 (+0000)
Subject: Adding security related information
X-Git-Tag: 2.5.0-alpha~5932
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=8515b16581d4955e91266487538fff5db84b3369;p=apache

Adding security related information


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1427395 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/docs/manual/mod/mod_authn_dbd.html.en b/docs/manual/mod/mod_authn_dbd.html.en
index ef11c98977..c89cb1c342 100644
--- a/docs/manual/mod/mod_authn_dbd.html.en
+++ b/docs/manual/mod/mod_authn_dbd.html.en
@@ -57,6 +57,7 @@
 <li><img alt="" src="../images/down.gif" /> <a href="#socache">Performance and Cacheing</a></li>
 <li><img alt="" src="../images/down.gif" /> <a href="#example">Configuration Example</a></li>
 <li><img alt="" src="../images/down.gif" /> <a href="#exposed">Exposing Login Information</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#security">Preventing SQL injections</a></li>
 </ul><h3>See also</h3>
 <ul class="seealso">
 <li><code class="directive"><a href="../mod/mod_authn_core.html#authname">AuthName</a></code></li>
@@ -136,6 +137,17 @@ query to gather this additional information.</p>
 <p>This has the potential to dramatically simplify the coding and
 configuration required in some web applications.
 </p>
+</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="security" id="security">Preventing SQL injections</a></h2>
+
+  <p>It depends on what DBD driver and backend you use.  With most
+  drivers you don't have to do anything : the statement is prepared
+  by the database at startup, and user input is used only as data.
+  But you may need to untaint your input.  At the time of writing,
+  the only driver that requires you to take care is FreeTDS.</p>
+  <p>Please read <code class="module"><a href="../mod/mod_dbd.html">mod_dbd</a></code> documentation for more information
+  about security on this scope.</p>
 </div>
 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
 <div class="directive-section"><h2><a name="AuthDBDUserPWQuery" id="AuthDBDUserPWQuery">AuthDBDUserPWQuery</a> <a name="authdbduserpwquery" id="authdbduserpwquery">Directive</a></h2>
@@ -181,7 +193,7 @@ AuthDBDUserPWQuery "SELECT password FROM authn WHERE user = %s"
 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authn_dbd</td></tr>
 </table>
     <p>The <code class="directive">AuthDBDUserRealmQuery</code> specifies an
-    SQL query to look up a password for a specified user and realm in a 
+    SQL query to look up a password for a specified user and realm in a
     digest authentication process.
     The user's ID and the realm, in that order, will be passed as string
     parameters when the SQL query is executed.  They may be referenced
diff --git a/docs/manual/mod/mod_authn_dbd.xml b/docs/manual/mod/mod_authn_dbd.xml
index 5a339edc99..7c27191426 100644
--- a/docs/manual/mod/mod_authn_dbd.xml
+++ b/docs/manual/mod/mod_authn_dbd.xml
@@ -121,6 +121,17 @@ configuration required in some web applications.
 </p>
 </section>
 
+<section id="security">
+<title>Preventing SQL injections</title>
+  <p>It depends on what DBD driver and backend you use.  With most
+  drivers you don't have to do anything : the statement is prepared
+  by the database at startup, and user input is used only as data.
+  But you may need to untaint your input.  At the time of writing,
+  the only driver that requires you to take care is FreeTDS.</p>
+  <p>Please read <module>mod_dbd</module> documentation for more information
+  about security on this scope.</p>
+</section>
+
 <directivesynopsis>
 <name>AuthDBDUserPWQuery</name>
 <description>SQL query to look up a password for a user</description>
@@ -164,7 +175,7 @@ AuthDBDUserPWQuery "SELECT password FROM authn WHERE user = %s"
 
 <usage>
     <p>The <directive>AuthDBDUserRealmQuery</directive> specifies an
-    SQL query to look up a password for a specified user and realm in a 
+    SQL query to look up a password for a specified user and realm in a
     digest authentication process.
     The user's ID and the realm, in that order, will be passed as string
     parameters when the SQL query is executed.  They may be referenced