From 5c23f52166cd5e2aa348ec9006bf137fd6bea7fb Mon Sep 17 00:00:00 2001
From: Vincent Deffontaines <gryzor@apache.org>
Date: Sun, 6 Jan 2013 17:52:43 +0000
Subject: [PATCH] Security notes about SQL injection.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1429560 13f79535-47bb-0310-9956-ffa450edef68
---
 docs/manual/mod/mod_authn_dbd.html.en | 12 ++++++------
 docs/manual/mod/mod_authn_dbd.xml     | 10 +++++-----
 docs/manual/mod/mod_authz_dbd.html.en | 14 +++++++++++++-
 docs/manual/mod/mod_authz_dbd.xml     | 11 +++++++++++
 4 files changed, 35 insertions(+), 12 deletions(-)

diff --git a/docs/manual/mod/mod_authn_dbd.html.en b/docs/manual/mod/mod_authn_dbd.html.en
index c89cb1c342..996b2d1f87 100644
--- a/docs/manual/mod/mod_authn_dbd.html.en
+++ b/docs/manual/mod/mod_authn_dbd.html.en
@@ -141,11 +141,11 @@ configuration required in some web applications.
 <div class="section">
 <h2><a name="security" id="security">Preventing SQL injections</a></h2>
 
-  <p>It depends on what DBD driver and backend you use.  With most
-  drivers you don't have to do anything : the statement is prepared
-  by the database at startup, and user input is used only as data.
-  But you may need to untaint your input.  At the time of writing,
-  the only driver that requires you to take care is FreeTDS.</p>
+  <p>Whether you need to care about SQL security depends on what DBD driver
+  and backend you use.  With most drivers you don't have to do anything :
+  the statement is prepared by the database at startup, and user input is
+  used only as data.  But you may need to untaint your input.  At the time
+  of writing, the only driver that requires you to take care is FreeTDS.</p>
   <p>Please read <code class="module"><a href="../mod/mod_dbd.html">mod_dbd</a></code> documentation for more information
   about security on this scope.</p>
 </div>
@@ -238,7 +238,7 @@ var comments_identifier = 'http://httpd.apache.org/docs/trunk/mod/mod_authn_dbd.
     }
 })(window, document);
 //--><!]]></script></div><div id="footer">
-<p class="apache">Copyright 2012 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
+<p class="apache">Copyright 2013 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
 <p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!--
 if (typeof(prettyPrint) !== 'undefined') {
     prettyPrint();
diff --git a/docs/manual/mod/mod_authn_dbd.xml b/docs/manual/mod/mod_authn_dbd.xml
index 7c27191426..9eda1bf208 100644
--- a/docs/manual/mod/mod_authn_dbd.xml
+++ b/docs/manual/mod/mod_authn_dbd.xml
@@ -123,11 +123,11 @@ configuration required in some web applications.
 
 <section id="security">
 <title>Preventing SQL injections</title>
-  <p>It depends on what DBD driver and backend you use.  With most
-  drivers you don't have to do anything : the statement is prepared
-  by the database at startup, and user input is used only as data.
-  But you may need to untaint your input.  At the time of writing,
-  the only driver that requires you to take care is FreeTDS.</p>
+  <p>Whether you need to care about SQL security depends on what DBD driver
+  and backend you use.  With most drivers you don't have to do anything :
+  the statement is prepared by the database at startup, and user input is
+  used only as data.  But you may need to untaint your input.  At the time
+  of writing, the only driver that requires you to take care is FreeTDS.</p>
   <p>Please read <module>mod_dbd</module> documentation for more information
   about security on this scope.</p>
 </section>
diff --git a/docs/manual/mod/mod_authz_dbd.html.en b/docs/manual/mod/mod_authz_dbd.html.en
index 9aeedb4031..8f121782c9 100644
--- a/docs/manual/mod/mod_authz_dbd.html.en
+++ b/docs/manual/mod/mod_authz_dbd.html.en
@@ -58,6 +58,7 @@
 <li><img alt="" src="../images/down.gif" /> <a href="#login">Database Login</a></li>
 <li><img alt="" src="../images/down.gif" /> <a href="#client">Client Login</a></li>
 <li><img alt="" src="../images/down.gif" /> <a href="#example">Configuration example</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#security">Preventing SQL injections</a></li>
 </ul><h3>See also</h3>
 <ul class="seealso">
 <li><code class="directive"><a href="../mod/mod_authz_core.html#require">Require</a></code></li>
@@ -151,6 +152,17 @@ DBDExptime 300
 &lt;/Directory&gt;
 </pre>
 
+</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="security" id="security">Preventing SQL injections</a></h2>
+
+  <p>Whether you need to care about SQL security depends on what DBD driver
+  and backend you use.  With most drivers you don't have to do anything :
+  the statement is prepared by the database at startup, and user input is
+  used only as data.  But you may need to untaint your input.  At the time
+  of writing, the only driver that requires you to take care is FreeTDS.</p>
+  <p>Please read <code class="module"><a href="../mod/mod_dbd.html">mod_dbd</a></code> documentation for more information
+  about security on this scope.</p>
 </div>
 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
 <div class="directive-section"><h2><a name="AuthzDBDLoginToReferer" id="AuthzDBDLoginToReferer">AuthzDBDLoginToReferer</a> <a name="authzdbdlogintoreferer" id="authzdbdlogintoreferer">Directive</a></h2>
@@ -263,7 +275,7 @@ var comments_identifier = 'http://httpd.apache.org/docs/trunk/mod/mod_authz_dbd.
     }
 })(window, document);
 //--><!]]></script></div><div id="footer">
-<p class="apache">Copyright 2012 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
+<p class="apache">Copyright 2013 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
 <p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!--
 if (typeof(prettyPrint) !== 'undefined') {
     prettyPrint();
diff --git a/docs/manual/mod/mod_authz_dbd.xml b/docs/manual/mod/mod_authz_dbd.xml
index 8b57120ea1..fa1a2bae3b 100644
--- a/docs/manual/mod/mod_authz_dbd.xml
+++ b/docs/manual/mod/mod_authz_dbd.xml
@@ -135,6 +135,17 @@ DBDExptime 300
 </highlight>
 </section>
 
+<section id="security">
+<title>Preventing SQL injections</title>
+  <p>Whether you need to care about SQL security depends on what DBD driver
+  and backend you use.  With most drivers you don't have to do anything :
+  the statement is prepared by the database at startup, and user input is
+  used only as data.  But you may need to untaint your input.  At the time
+  of writing, the only driver that requires you to take care is FreeTDS.</p>
+  <p>Please read <module>mod_dbd</module> documentation for more information
+  about security on this scope.</p>
+</section>
+
 <directivesynopsis>
 <name>AuthzDBDQuery</name>
 <description>Specify the SQL Query for the required operation</description>
-- 
2.40.0