Helmut Tessarek wrote:
Password validation:
Many web applications use a 32-character hexadecimal md5 hash, since PHP returns
such a value for its md5 function. Unfortunately the apr_password_validate
function does not validate such a value. Since almost every authnz backend uses
this function, it would be perfect to add this validation process to
apr_password_validate. I have attached a patch for it.
One problem with your patch is that it wouldn't distinguish between a
32-character password (plain-text passwords work on Windows) and an md5
hash.
I think it would be better to use a prefix, like {MD5}. Not perfect,
but the {SHA1} prefix has already set a precedent for this in apr. If
the database contains only the 32-char hash, you could use an SQL stmt
like this:
"SELECT '{MD5}' || Password AS Password FROM Users WHERE UserName = ?"
Helmut Tessarek wrote:
On 24.03.2007 14:54, Tom Donovan wrote:
If procedures only require input parameters and return a result set
(like the example procedure GROUP_SP in mod_auth_ibmdb2) - they can be
invoked by apr_dbd_select with the SQL statement:
"CALL GROUP_SP(?)"
If this is the case then DBD does support stored procedures. The other question
is how are errors handled when using SPs? I guess I will have to start writing
the apr_dbd_ibmdb2 driver... :-)
SP errors seem to be handled the same as with ordinary SELECT statements.
The DB2 CLI is very similar (almost identical) to ODBC.
I've got an ODBC DBD driver I've used for several weeks now. I'm still
struggling to code the apr 1.3 version of it, but if you (or anyone)
would like to look over the apr 1.2 version - help yourself to
http://www.tomdonovan.net/download/dbd_odbc.zip
Maybe it will help you to write your apr_dbd_ibmdb2 driver.
-tom-
