From: jan@unixpapa.com <jan@unixpapa.com@8c465660-3f02-11de-a81c-fde7d73ceb89>
Date: Wed, 15 Jan 2014 02:29:22 +0000 (+0000)
Subject: Note about SQL injection.
X-Git-Tag: mod_authnz_external-3.3.2~3
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=ccfc0b1275dd7f2875f2d9a2b5c775d9fce08425;p=apache-authnz-external

Note about SQL injection.
---

diff --git a/mod_authnz_external/AUTHENTICATORS b/mod_authnz_external/AUTHENTICATORS
index 98cde11..112ca49 100644
--- a/mod_authnz_external/AUTHENTICATORS
+++ b/mod_authnz_external/AUTHENTICATORS
@@ -26,6 +26,10 @@ SECURITY
    that are longer than 8192 characters, but don't depend this.  Check very
    carefully for buffer overflows.
 
+ - Don't make assumptions about the content of the login and password strings.
+   For example, if you are using them in an SQL query, do proper checking
+   and/or quoting to insure that nobody is doing SQL injection.
+
  - Think about locking.  It is possible to get lots of hits at your website
    very fast, so there may be many programs simultaneously reading your
    authentication database, plus updates may be going on at the same time.