Author: John Doe Date: To: exim-users Subject: Re: [exim] mysql authentication problem...
From: Mike Cardwell <exim-users@???> > You're open to SQL injection attacks as you haven't escaped apostrophes
> in the login name or password. For example:
>
> login = '$2'
>
> Should be:
>
> login = '${quote_mysql:$2}'
Thx for the fix! So:
AUTH_PLAIN_QUERY = SELECT login FROM emails WHERE login = '${quote_mysql:$2}' \
AND password = MD5('${quote_mysql:$3}')
AUTH_LOGIN_QUERY = SELECT login FROM emails WHERE login = '${quote_mysql:$1}' \
AND password = MD5('${quote_mysql:$2}')
I have another question: how can I allow only encrypted/authenticated connections?
