Note about SQL injection.

author jan@unixpapa.com <jan@unixpapa.com@8c465660-3f02-11de-a81c-fde7d73ceb89>

Wed, 15 Jan 2014 02:29:22 +0000 (02:29 +0000)

committer jan@unixpapa.com <jan@unixpapa.com@8c465660-3f02-11de-a81c-fde7d73ceb89>

Wed, 15 Jan 2014 02:29:22 +0000 (02:29 +0000)
author jan@unixpapa.com <jan@unixpapa.com@8c465660-3f02-11de-a81c-fde7d73ceb89>
Wed, 15 Jan 2014 02:29:22 +0000 (02:29 +0000)
committer jan@unixpapa.com <jan@unixpapa.com@8c465660-3f02-11de-a81c-fde7d73ceb89>
Wed, 15 Jan 2014 02:29:22 +0000 (02:29 +0000)
diff --git a/mod_authnz_external/AUTHENTICATORS b/mod_authnz_external/AUTHENTICATORS

index 98cde11ce110deb9292e6219c078aff7ac5d39a5..112ca49f056b352855a777bdf6c901a9a7b3b7f4 100644 (file)
--- a/mod_authnz_external/AUTHENTICATORS
+++ b/mod_authnz_external/AUTHENTICATORS
@@ -26,6 +26,10 @@ SECURITY
     that are longer than 8192 characters, but don't depend this.  Check very
     carefully for buffer overflows.
  
+ - Don't make assumptions about the content of the login and password strings.
+   For example, if you are using them in an SQL query, do proper checking
+   and/or quoting to insure that nobody is doing SQL injection.
+
   - Think about locking.  It is possible to get lots of hits at your website
     very fast, so there may be many programs simultaneously reading your
     authentication database, plus updates may be going on at the same time.
author	jan@unixpapa.com <jan@unixpapa.com@8c465660-3f02-11de-a81c-fde7d73ceb89>
	Wed, 15 Jan 2014 02:29:22 +0000 (02:29 +0000)
committer	jan@unixpapa.com <jan@unixpapa.com@8c465660-3f02-11de-a81c-fde7d73ceb89>
	Wed, 15 Jan 2014 02:29:22 +0000 (02:29 +0000)