On Wed, 28 Feb 2001, Tamas TEVESZ wrote:
> On Wed, 28 Feb 2001, robert rotman wrote:
>
> > (${lookup mysql{select password from table where
> > username='${extract{1}{#}{$2}}' and
> > domain='${extract{2}{#}{$2}}'}{$value}fail}
> > )
>
> as the very bare minimum __always__ use quote_mysql. (not sure if it's
> related, it could even be. recommended reading is the rfp2k01 advisory
> by rfp, which discusses *sql and unchecked user input from a web'n
> stuff related point of view, most certainy applies to any such
> situation - like this one).
>
sorry, i forgot to mention:
i did the quote_mysql but i did not include this in my email because i
thought it's clearer to understand in this way.
('${quote_mysql:${extract{1}{#}{$2}}})
anyway, there is the same effect.
robert
