On Wednesday 22 August 2012, Graham Leggett wrote: > On 22 Aug 2012, at 7:18 PM, Nick Kew wrote: > > PR 53666 tells us apr_dbd_freetds doesn't work with Sybase, > > and very probably never did. The reporter attaches a patch, > > but it's one I'm not happy with, even if I had access to any > > FreeTDS backend to test-drive (which I don't). The basic > > objection is that FreeTDS doesn't support prepared statements, > > and the emulation in the driver opens big security issues. > > > > We've had a bit of a thread on the subject on dev@httpd. > > > > Is anyone in a position to take up the baton on FreeTDS? > > > > If not, perhaps it's time we dropped that driver in favour > > of the ODBC one. > > Am I right in understanding that a user of the freetds driver could > realistically use the ODBC driver instead? (I am assuming this is > Windows). > > If so, I would be in favour of deprecating the freetds driver and > dropping the driver in v2.0, as a driver that doesn't support > prepared statements suffers higher security risks.
I think the FreeTDS driver should either emulate prepared statements by using a known secure escaping function from FreeTDS. If that does not exist, it should be removed. Also, apr_dbd_escape currently returns the unchanged string for FreeTDS. I would be more comfortable if it returned NULL (or if there was a way to return ENOTIMPL).