Re: [exim] mysql authentication problem...

Startseite
Nachricht löschen
Nachricht beantworten
Autor: John Doe
Datum:  
To: exim-users
Betreff: Re: [exim] mysql authentication problem...
From: Mike Cardwell <exim-users@???>
> You're open to SQL injection attacks as you haven't escaped apostrophes
> in the login name or password. For example:
>
> login = '$2'
>
> Should be:
>
> login = '${quote_mysql:$2}'


Thx for the fix! So:

AUTH_PLAIN_QUERY = SELECT login FROM emails WHERE login = '${quote_mysql:$2}' \
AND password = MD5('${quote_mysql:$3}')
AUTH_LOGIN_QUERY = SELECT login FROM emails WHERE login = '${quote_mysql:$1}' \
AND password = MD5('${quote_mysql:$2}')

I have another question: how can I allow only encrypted/authenticated connections?

Thx,
JD