logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: ODBC :: Empty username causes internal server error
Author
suspi



Joined: 29 Sep 2014
Posts: 3

PostPosted: Mon 29 Sep '14 15:56    Post subject: ODBC :: Empty username causes internal server error Reply with quote

I am using user authentication with the following components:

Apache/2.4.10 (Win32) + mod_auth_basic + mod_authn_dbd + mod_dbd + ODBC Driver + Microsoft SQL Server 2008(SP3).

It works fine except when I do not provide any username when browser asks for username and password. In this case I receive the "Internal Server Error" as the response instead of "Unauthorized" response.

The most interesting part of the error.log is:

[Sat Sep 27 21:23:17.639860 2014] [authn_dbd:error] [pid 1208:tid 1636] [client 127.0.0.1:1363] AH01656: Query execution error looking up '' in database [[dbd_odbc] SQLBindParameter returned SQL_ERROR (-1) at apr_dbd_odbc.c:604 [Microsoft][ODBC SQL Server Driver]Invalid precision value HY104 ]

The AuthDBDUserPWQuery directive in my httpd.conf is:

AuthDBDUserPWQuery "SELECT password FROM member WHERE CONVERT(VARCHAR(10), member_Index) = %s"

And the member_Index column in the database is smallint.

Is it a bug or am I missing something? Any ideas are welcome.

Thanx,

Radek
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7364
Location: Germany, Next to Hamburg

PostPosted: Mon 29 Sep '14 17:36    Post subject: Reply with quote

That is becaue if there is no username %s is empty / nothing. So the query is not valid.

Can't you change the query that it works with an empty value?
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Mon 29 Sep '14 19:19    Post subject: Reply with quote

This is as designed.

dbd_odbc returns the error from the sql server to mod_authn_dbd
mod_authn_dbd returns AUTH_GENERAL_ERROR to mod_auth_basic
In mod_auth_basic all AUTH_GENERAL_ERRORs returns HTTP_INTERNAL_SERVER_ERROR to the server.

This I assume is to reflect the original error which was in the sql server as that is what erred on the empty username. This is commented in the auth_basic module before returning the 500.
/* We'll assume that the module has already said what its error
* was in the logs.
*/
Back to top
suspi



Joined: 29 Sep 2014
Posts: 3

PostPosted: Tue 30 Sep '14 13:17    Post subject: Reply with quote

I understand that an error raised somewhere between dbd_odbc and SQL Server is propagated to the user as the 500 - Internal server error. It is designed well.

I am trying to figure out what is causing the error. Assuming that the authentication mechanism is treating the username as a string and the username is empty it should use either an empty string '' or a NULL as an actual value for the %s parameter. In both cases the SQL query is valid.

I have no idea how to change the SQL query to handle the situation when "nothing" is passed as the username.

Any ideas?
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7364
Location: Germany, Next to Hamburg

PostPosted: Tue 30 Sep '14 14:18    Post subject: Reply with quote

I'm not used to MSSQL, but in MySQL I would use single qoutes around the value

"SELECT password FROM member WHERE CONVERT(VARCHAR(10), member_Index) = '%s'"
Back to top
suspi



Joined: 29 Sep 2014
Posts: 3

PostPosted: Tue 30 Sep '14 20:01    Post subject: Reply with quote

Surrounding %s with ' does not work at all. Empty username causes the same error and a valid username ends with:
[Sun Sep 28 10:58:47.351564 2014] [auth_basic:error] [pid 1824:tid 1636] [client 127.0.0.1:2461] AH01618: user XY not found: /

I think dbd_odbc driver uses prepared SQL statements and it provides single quotes around string parameters automatically on its own. This is OK but something is wrong with empty values. I have tried many variants of the query but still no luck.
Back to top


Reply to topic   Topic: ODBC :: Empty username causes internal server error View previous topic :: View next topic
Post new topic   Forum Index -> Apache