Le Wed, 2 Jan 2013 14:37:37 +0000, Nick Kew <n...@apache.org> a écrit :
> From my point of view, the chief reason for wanting this > on-list is that changes have happened in the DBD stuff that > might invalidate something I say. Above all, the coming > of drivers for backends I've never touched. > > More eyes make for better docs. > I have added a "security" note into the trunk doc of both mod_authn_dbd and mod_authz_dbd Will commit it similarly into 2.4 in one week, please send corrections if it's incomplete or inexact. I added : ================= BEGIN PASTE ============= <section id="security"> <title>Preventing SQL injections</title> <p>Whether you need to care about SQL security depends on what DBD driver and backend you use. With most drivers you don't have to do anything : the statement is prepared by the database at startup, and user input is used only as data. But you may need to untaint your input. At the time of writing, the only driver that requires you to take care is FreeTDS.</p> <p>Please read <module>mod_dbd</module> documentation for more information about security on this scope.</p> </section> ================= END PASTE ============= --------------------------------------------------------------------- To unsubscribe, e-mail: docs-unsubscr...@httpd.apache.org For additional commands, e-mail: docs-h...@httpd.apache.org
