{ "mode": "perldoc", "parameter": "DBI::ProxyServer", "section": "", "url": "https://www.chedong.com/phpMan.php/perldoc/DBI%3A%3AProxyServer/json", "generated": "2026-06-15T16:02:34Z", "synopsis": "use DBI::ProxyServer;\nDBI::ProxyServer::main(@ARGV);", "sections": { "NAME": { "content": "DBI::ProxyServer - a server for the DBD::Proxy driver\n", "subsections": [] }, "SYNOPSIS": { "content": "use DBI::ProxyServer;\nDBI::ProxyServer::main(@ARGV);\n", "subsections": [] }, "DESCRIPTION": { "content": "DBI::Proxy Server is a module for implementing a proxy for the DBI proxy driver, DBD::Proxy. It\nallows access to databases over the network if the DBMS does not offer networked operations. But\nthe proxy server might be useful for you, even if you have a DBMS with integrated network\nfunctionality: It can be used as a DBI proxy in a firewalled environment.\n\nDBI::ProxyServer runs as a daemon on the machine with the DBMS or on the firewall. The client\nconnects to the agent using the DBI driver DBD::Proxy, thus in the exactly same way than using\nDBD::mysql, DBD::mSQL or any other DBI driver.\n\nThe agent is implemented as a RPC::PlServer application. Thus you have access to all the\npossibilities of this module, in particular encryption and a similar configuration file.\nDBI::ProxyServer adds the possibility of query restrictions: You can define a set of queries\nthat a client may execute and restrict access to those. (Requires a DBI driver that supports\nparameter binding.) See \"CONFIGURATION FILE\".\n\nThe provided driver script, dbiproxy, may either be used as it is or used as the basis for a\nlocal version modified to meet your needs.\n", "subsections": [] }, "OPTIONS": { "content": "When calling the DBI::ProxyServer::main() function, you supply an array of options. These\noptions are parsed by the Getopt::Long module. The ProxyServer inherits all of RPC::PlServer's\nand hence Net::Daemon's options and option handling, in particular the ability to read options\nfrom either the command line or a config file. See RPC::PlServer. See Net::Daemon. Available\noptions include\n\n*chroot* (--chroot=dir)\n(UNIX only) After doing a bind(), change root directory to the given directory by doing a\nchroot(). This is useful for security, but it restricts the environment a lot. For example,\nyou need to load DBI drivers in the config file or you have to create hard links to Unix\nsockets, if your drivers are using them. For example, with MySQL, a config file might\ncontain the following lines:\n\nmy $rootdir = '/var/dbiproxy';\nmy $unixsockdir = '/tmp';\nmy $unixsockfile = 'mysql.sock';\nforeach $dir ($rootdir, \"$rootdir$unixsockdir\") {\nmkdir 0755, $dir;\n}\nlink(\"$unixsockdir/$unixsockfile\",\n\"$rootdir$unixsockdir/$unixsockfile\");\nrequire DBD::mysql;\n\n{\n'chroot' => $rootdir,\n...\n}\n\nIf you don't know chroot(), think of an FTP server where you can see a certain directory\ntree only after logging in. See also the --group and --user options.\n\n*clients*\nAn array ref with a list of clients. Clients are hash refs, the attributes *accept* (0 for\ndenying access and 1 for permitting) and *mask*, a Perl regular expression for the clients\nIP number or its host name.\n\n*configfile* (--configfile=file)\nConfig files are assumed to return a single hash ref that overrides the arguments of the new\nmethod. However, command line arguments in turn take precedence over the config file. See\nthe \"CONFIGURATION FILE\" section below for details on the config file.\n\n*debug* (--debug)\nTurn debugging mode on. Mainly this asserts that logging messages of level \"debug\" are\ncreated.\n\n*facility* (--facility=mode)\n(UNIX only) Facility to use for Sys::Syslog. The default is daemon.\n\n*group* (--group=gid)\nAfter doing a bind(), change the real and effective GID to the given. This is useful, if you\nwant your server to bind to a privileged port (<1024), but don't want the server to execute\nas root. See also the --user option.\n\nGID's can be passed as group names or numeric values.\n\n*localaddr* (--localaddr=ip)\nBy default a daemon is listening to any IP number that a machine has. This attribute allows\none to restrict the server to the given IP number.\n\n*localport* (--localport=port)\nThis attribute sets the port on which the daemon is listening. It must be given somehow, as\nthere's no default.\n\n*logfile* (--logfile=file)\nBe default logging messages will be written to the syslog (Unix) or to the event log\n(Windows NT). On other operating systems you need to specify a log file. The special value\n\"STDERR\" forces logging to stderr. See Net::Daemon::Log for details.\n\n*mode* (--mode=modename)\nThe server can run in three different modes, depending on the environment.\n\nIf you are running Perl 5.005 and did compile it for threads, then the server will create a\nnew thread for each connection. The thread will execute the server's Run() method and then\nterminate. This mode is the default, you can force it with \"--mode=threads\".\n\nIf threads are not available, but you have a working fork(), then the server will behave\nsimilar by creating a new process for each connection. This mode will be used automatically\nin the absence of threads or if you use the \"--mode=fork\" option.\n\nFinally there's a single-connection mode: If the server has accepted a connection, he will\nenter the Run() method. No other connections are accepted until the Run() method returns (if\nthe client disconnects). This operation mode is useful if you have neither threads nor\nfork(), for example on the Macintosh. For debugging purposes you can force this mode with\n\"--mode=single\".\n\n*pidfile* (--pidfile=file)\n(UNIX only) If this option is present, a PID file will be created at the given location.\nDefault is to not create a pidfile.\n\n*user* (--user=uid)\nAfter doing a bind(), change the real and effective UID to the given. This is useful, if you\nwant your server to bind to a privileged port (<1024), but don't want the server to execute\nas root. See also the --group and the --chroot options.\n\nUID's can be passed as group names or numeric values.\n\n*version* (--version)\nSuppresses startup of the server; instead the version string will be printed and the program\nexits immediately.\n", "subsections": [] }, "SHUTDOWN": { "content": "DBI::ProxyServer is built on RPC::PlServer which is, in turn, built on Net::Daemon.\n\nYou should refer to Net::Daemon for how to shutdown the server, except that you can't because\nit's not currently documented there (as of v0.43). The bottom-line is that it seems that there's\nno support for graceful shutdown.\n", "subsections": [] }, "CONFIGURATION FILE": { "content": "The configuration file is just that of *RPC::PlServer* or *Net::Daemon* with some additional\nattributes in the client list.\n\nThe config file is a Perl script. At the top of the file you may include arbitrary Perl source,\nfor example load drivers at the start (useful to enhance performance), prepare a chroot\nenvironment and so on.\n\nThe important thing is that you finally return a hash ref of option name/value pairs. The\npossible options are listed above.\n\nAll possibilities of Net::Daemon and RPC::PlServer apply, in particular\n\nHost and/or User dependent access control\nHost and/or User dependent encryption\nChanging UID and/or GID after binding to the port\nRunning in a chroot() environment\n\nAdditionally the server offers you query restrictions. Suggest the following client list:\n\n'clients' => [\n{ 'mask' => '^admin\\.company\\.com$',\n'accept' => 1,\n'users' => [ 'root', 'wwwrun' ],\n},\n{\n'mask' => '^admin\\.company\\.com$',\n'accept' => 1,\n'users' => [ 'root', 'wwwrun' ],\n'sql' => {\n'select' => 'SELECT * FROM foo',\n'insert' => 'INSERT INTO foo VALUES (?, ?, ?)'\n}\n}\n\nthen only the users root and wwwrun may connect from admin.company.com, executing arbitrary\nqueries, but only wwwrun may connect from other hosts and is restricted to\n\n$sth->prepare(\"select\");\n\nor\n\n$sth->prepare(\"insert\");\n\nwhich in fact are \"SELECT * FROM foo\" or \"INSERT INTO foo VALUES (?, ?, ?)\".\n", "subsections": [] }, "Proxyserver Configuration file (bigger example)": { "content": "This section tells you how to restrict a DBI-Proxy: Not every user from every workstation shall\nbe able to execute every query.\n\nThere is a perl program \"dbiproxy\" which runs on a machine which is able to connect to all the\ndatabases we wish to reach. All Perl-DBD-drivers must be installed on this machine. You can also\nreach databases for which drivers are not available on the machine where you run the program\nquerying the database, e.g. ask MS-Access-database from Linux.\n\nCreate a configuration file \"proxyoracle.cfg\" at the dbproxy-server:\n\n{\n# This shall run in a shell or a DOS-window\n# facility => 'daemon',\npidfile => 'yourdbiproxy.pid',\nlogfile => 1,\ndebug => 0,\nmode => 'single',\nlocalport => '12400',\n\n# Access control, the first match in this list wins!\n# So the order is important\nclients => [\n# hint to organize:\n# the most specialized rules for single machines/users are 1st\n# then the denying rules\n# then the rules about whole networks\n\n# rule: internalwebserver\n# desc: to get statistical information\n{\n# this IP-address only is meant\nmask => '^10\\.95\\.81\\.243$',\n# accept (not defer) connections like this\naccept => 1,\n# only users from this list\n# are allowed to log on\nusers => [ 'informationdesk' ],\n# only this statistical query is allowed\n# to get results for a web-query\nsql => {\nalive => 'select count(*) from dual',\nstatisticarea => 'select count(*) from e01admin.e01e203 where gebbezei like ?',\n}\n},\n\n# rule: internalbadguy1\n{\nmask => '^10\\.95\\.81\\.1$',\naccept => 0,\n},\n\n# rule: employeeworkplace\n# desc: get detailed information\n{\n# any IP-address is meant here\nmask => '^10\\.95\\.81\\.(\\d+)$',\n# accept (not defer) connections like this\naccept => 1,\n# only users from this list\n# are allowed to log on\nusers => [ 'informationdesk', 'lippmann' ],\n# all these queries are allowed:\nsql => {\nsearchcity => 'select ortnr, plz, ort from e01admin.e01e200 where plz like ?',\nsearcharea => 'select gebiettyp, gebbezei from e01admin.e01e203 where gebbezei like ? or gebbezei like ?',\n}\n},\n\n# rule: internalbadguy2\n# This does NOT work, because rule \"employeeworkplace\" hits\n# with its ip-address-mask of the whole network\n{\n# don't accept connection from this ip-address\nmask => '^10\\.95\\.81\\.5$',\naccept => 0,\n}\n]\n}\n\nStart the proxyserver like this:\n\nrem well-set Oraclehome needed for Oracle\nset ORACLEHOME=d:\\oracle\\ora81\ndbiproxy --configfile proxyoracle.cfg\n", "subsections": [ { "name": "Testing the connection from a remote machine", "content": "Call a program \"dbish\" from your commandline. I take the machine from rule \"internalwebserver\"\n\ndbish \"dbi:Proxy:hostname=oracle.zdf;port=12400;dsn=dbi:Oracle:e01\" informationdesk xxx\n\nThere will be a shell-prompt:\n\ninformationdesk@dbi...> alive\n\nCurrent statement buffer (enter '/'...):\nalive\n\ninformationdesk@dbi...> /\nCOUNT(*)\n'1'\n[1 rows of 1 fields returned]\n" }, { "name": "Testing the connection with a perl-script", "content": "Create a perl-script like this:\n\n# file: oratest.pl\n# call me like this: perl oratest.pl user password\n\nuse strict;\nuse DBI;\n\nmy $user = shift || die \"Usage: $0 user password\";\nmy $pass = shift || die \"Usage: $0 user password\";\nmy $config = {\ndsnatproxy => \"dbi:Oracle:e01\",\nproxy => \"hostname=oechsle.zdf;port=12400\",\n};\nmy $dsn = sprintf \"dbi:Proxy:%s;dsn=%s\",\n$config->{proxy},\n$config->{dsnatproxy};\n\nmy $dbh = DBI->connect( $dsn, $user, $pass )\n|| die \"connect did not work: $DBI::errstr\";\n\nmy $sql = \"searchcity\";\nprintf \"%s\\n%s\\n%s\\n\", \"=\"x40, $sql, \"=\"x40;\nmy $cur = $dbh->prepare($sql);\n$cur->bindparam(1,'905%');\n&showresult ($cur);\n\nmy $sql = \"searcharea\";\nprintf \"%s\\n%s\\n%s\\n\", \"=\"x40, $sql, \"=\"x40;\nmy $cur = $dbh->prepare($sql);\n$cur->bindparam(1,'Pfarr%');\n$cur->bindparam(2,'Bronnamberg%');\n&showresult ($cur);\n\nmy $sql = \"statisticarea\";\nprintf \"%s\\n%s\\n%s\\n\", \"=\"x40, $sql, \"=\"x40;\nmy $cur = $dbh->prepare($sql);\n$cur->bindparam(1,'Pfarr%');\n&showresult ($cur);\n\n$dbh->disconnect;\nexit;\n\n\nsub showresult {\nmy $cur = shift;\nunless ($cur->execute()) {\nprint \"Could not execute\\n\";\nreturn;\n}\n\nmy $rownum = 0;\nwhile (my @row = $cur->fetchrowarray()) {\nprintf \"Row is: %s\\n\", join(\", \",@row);\nif ($rownum++ > 5) {\nprint \"... and so on\\n\";\nlast;\n}\n}\n$cur->finish;\n}\n\nThe result\n\nC:\\>perl oratest.pl informationdesk xxx\n========================================\nsearchcity\n========================================\nRow is: 3322, 9050, Chemnitz\nRow is: 3678, 9051, Chemnitz\nRow is: 10447, 9051, Chemnitz\nRow is: 12128, 9051, Chemnitz\nRow is: 10954, 90513, Zirndorf\nRow is: 5808, 90513, Zirndorf\nRow is: 5715, 90513, Zirndorf\n... and so on\n========================================\nsearcharea\n========================================\nRow is: 101, Bronnamberg\nRow is: 400, Pfarramt Zirndorf\nRow is: 400, Pfarramt Rosstal\nRow is: 400, Pfarramt Oberasbach\nRow is: 401, Pfarramt Zirndorf\nRow is: 401, Pfarramt Rosstal\n========================================\nstatisticarea\n========================================\nDBD::Proxy::st execute failed: Server returned error: Failed to execute method CallMethod: Unknown SQL query: statisticarea at E:/Perl/site/lib/DBI/ProxyServer.pm line 258.\nCould not execute\n" }, { "name": "How the configuration works", "content": "The most important section to control access to your dbi-proxy is \"client=>\" in the file\n\"proxyoracle.cfg\":\n\nControlling which person at which machine is allowed to access\n\n* \"mask\" is a perl regular expression against the plain ip-address of the machine which wishes\nto connect or the reverse-lookup from a nameserver.\n\n* \"accept\" tells the dbiproxy-server whether ip-adresse like in \"mask\" are allowed to connect\nor not (0/1)\n\n* \"users\" is a reference to a list of usernames which must be matched, this is NOT a regular\nexpression.\n\nControlling which SQL-statements are allowed\n\nYou can put every SQL-statement you like in simply omitting \"sql => ...\", but the more important\nthing is to restrict the connection so that only allowed queries are possible.\n\nIf you include an sql-section in your config-file like this:\n\nsql => {\nalive => 'select count(*) from dual',\nstatisticarea => 'select count(*) from e01admin.e01e203 where gebbezei like ?',\n}\n\nThe user is allowed to put two queries against the dbi-proxy. The queries are not \"select" }, { "name": "count", "content": "real query. So you can run a query for \"alive\":\n\nmy $sql = \"alive\";\nmy $cur = $dbh->prepare($sql);\n...\n\nThe flexibility is that you can put parameters in the where-part of the query so the query are\nnot static. Simply replace a value in the where-part of the query through a question mark and\nbind it as a parameter to the query.\n\nmy $sql = \"statisticarea\";\nmy $cur = $dbh->prepare($sql);\n$cur->bindparam(1,'905%');\n# A second parameter would be called like this:\n# $cur->bindparam(2,'98%');\n\nThe result is this query:\n\nselect count(*) from e01admin.e01e203\nwhere gebbezei like '905%'\n\nDon't try to put parameters into the sql-query like this:\n\n# Does not work like you think.\n# Only the first word of the query is parsed,\n# so it's changed to \"statisticarea\", the rest is omitted.\n# You have to work with $cur->bindparam.\nmy $sql = \"statisticarea 905%\";\nmy $cur = $dbh->prepare($sql);\n...\n" }, { "name": "Problems", "content": "* I don't know how to restrict users to special databases.\n\n* I don't know how to pass query-parameters via dbish\n" } ] }, "SECURITY WARNING": { "content": "RPC::PlServer used underneath is not secure due to serializing and deserializing data with\nStorable module. Use the proxy driver only in trusted environment.\n", "subsections": [] }, "AUTHOR": { "content": "Copyright (c) 1997 Jochen Wiedmann\nAm Eisteich 9\n72555 Metzingen\nGermany\n\nEmail: joe@ispsoft.de\nPhone: +49 7123 14881\n\nThe DBI::ProxyServer module is free software; you can redistribute it and/or modify it under the\nsame terms as Perl itself. In particular permission is granted to Tim Bunce for distributing\nthis as a part of the DBI.\n", "subsections": [] }, "SEE ALSO": { "content": "dbiproxy, DBD::Proxy, DBI, RPC::PlServer, RPC::PlClient, Net::Daemon, Net::Daemon::Log,\nSys::Syslog, Win32::EventLog, syslog\n", "subsections": [] } }, "summary": "DBI::ProxyServer - a server for the DBD::Proxy driver", "flags": [], "examples": [], "see_also": [] }