From: Nick Kew <niq@apache.org>
Date: Tue, 22 Apr 2008 09:38:17 +0000 (+0000)
Subject: Clarify explanation of untainting.
X-Git-Tag: 2.3.0~685
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=50f5975388ce6f0c6f412b6d3d650c54b8341602;p=thirdparty%2Fapache%2Fhttpd.git

Clarify explanation of untainting.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@650428 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/docs/manual/mod/mod_dbd.xml b/docs/manual/mod/mod_dbd.xml
index ae20019abc5..9992f555038 100644
--- a/docs/manual/mod/mod_dbd.xml
+++ b/docs/manual/mod/mod_dbd.xml
@@ -127,8 +127,13 @@ APR_DECLARE_OPTIONAL_FN(void, ap_dbd_prepare, (server_rec*, const char*, const c
     untrusted input is merged into the SQL statement.</p>
     <p>It can be made safe by <em>untainting</em> all inputs:
     a process inspired by Perl's taint checking.  Each input
-    is matched against a regexp, and only the match is used.
-    To use this, the untainting regexps must be included in the
+    is matched against a regexp, and only the match is used,
+    according to the Perl idiom:</p>
+    <example>
+        <pre><code>  $untrusted =~ /([a-z])+/;
+  $trusted = $1;</code></pre>
+    </example>
+    <p>To use this, the untainting regexps must be included in the
     prepared statements configured.  The regexp follows immediately
     after the % in the prepared statement, and is enclosed in
     curly brackets {}.  For example, if your application expects