From f7f84e9c95fb9655fb745e483ebe0190662a72fc Mon Sep 17 00:00:00 2001
From: "jan@unixpapa.com"
 <jan@unixpapa.com@8c465660-3f02-11de-a81c-fde7d73ceb89>
Date: Wed, 5 Oct 2011 03:09:31 +0000
Subject: [PATCH] Fixed an exploitable SQL injection flaw.

---
 mod_authnz_external/CHANGES             | 2 ++
 mod_authnz_external/mysql/mysql-auth.pl | 4 +++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/mod_authnz_external/CHANGES b/mod_authnz_external/CHANGES
index a60772a..77b71d5 100644
--- a/mod_authnz_external/CHANGES
+++ b/mod_authnz_external/CHANGES
@@ -4,6 +4,8 @@ v3.2.6   (Jan Wolter - )
    names that include spaces by enclosing them in quotes.  This change
    suggested by David Homborg.  Haven't actually tested this yet.
  * Default action of Makefile changed to "build" not "install".
+ * Corrected an exploitable SQL injection flaw in the sample mysql
+   authenticator.
 
 v3.2.5   (Jan Wolter - Oct 29, 2009)
 -----------------------------------------------
diff --git a/mod_authnz_external/mysql/mysql-auth.pl b/mod_authnz_external/mysql/mysql-auth.pl
index 0118e71..da6be4d 100644
--- a/mod_authnz_external/mysql/mysql-auth.pl
+++ b/mod_authnz_external/mysql/mysql-auth.pl
@@ -62,8 +62,10 @@ if (!$dbh) {
 	exit 1;
 }
 
-my $dbq = $dbh->prepare("select username as username, password as password from users where username=\'$user\';");
+my $dbq = $dbh->prepare("select username as username, password as password from users where username=?;");
+$dbq->bind_param(1, $user);
 $dbq->execute;
+
 my $row = $dbq->fetchrow_hashref();
 
 if ($row->{username} eq "") {
-- 
2.40.0