Re: [Exim] extract problems with digits in smtp-auth

Page principale
Supprimer ce message
Répondre à ce message
Auteur: robert rotman
Date:  
À: Tamas TEVESZ
CC: exim-users
Sujet: Re: [Exim] extract problems with digits in smtp-auth
On Wed, 28 Feb 2001, Tamas TEVESZ wrote:

> On Wed, 28 Feb 2001, robert rotman wrote:
>
>  > (${lookup mysql{select password from table where
>  >    username='${extract{1}{#}{$2}}' and
>  >    domain='${extract{2}{#}{$2}}'}{$value}fail}
>  > )

>
> as the very bare minimum __always__ use quote_mysql. (not sure if it's
> related, it could even be. recommended reading is the rfp2k01 advisory
> by rfp, which discusses *sql and unchecked user input from a web'n
> stuff related point of view, most certainy applies to any such
> situation - like this one).
>


sorry, i forgot to mention:
i did the quote_mysql but i did not include this in my email because i
thought it's clearer to understand in this way.
('${quote_mysql:${extract{1}{#}{$2}}})

anyway, there is the same effect.

robert