On Thu, 1 May 2008 16:53:14 +1000 (EST) Res <[EMAIL PROTECTED]> wrote:
> Hi, > > I have a request for a feature in Apache. > > Basically I was wondering if it could include the ability to use > AuthBasicProvider, AuthDBDUserPWQuery etc in a .htaccess file, like > we can place in a directory block. Isn't the documentation clear about this? Hmmm, I'm sure I wrote something, but it's not in the primary docs. > Perhaps this was already looked at and discarded as a serious > performance impact? That's the lesser of two reasons. The more important one is that it introduces a whole new raft of security issues: * malicious users introducing SQL injection attacks through htaccess * naive users opening the way to ditto Then there's the problem that combines both the above: Prepared Statement implementations vary widely across database engines, and in some cases are not good for once-only use. -- Nick Kew Application Development with Apache - the Apache Modules Book http://www.apachetutor.org/
