Re: [exim] mysql authentication problem...

トップ ページ
このメッセージを削除
このメッセージに返信
著者: John Doe
日付:  
To: exim-users
題目: Re: [exim] mysql authentication problem...
From: Mike Cardwell <exim-users@???>
> You're open to SQL injection attacks as you haven't escaped apostrophes
> in the login name or password. For example:
>
> login = '$2'
>
> Should be:
>
> login = '${quote_mysql:$2}'


Thx for the fix! So:

AUTH_PLAIN_QUERY = SELECT login FROM emails WHERE login = '${quote_mysql:$2}' \
AND password = MD5('${quote_mysql:$3}')
AUTH_LOGIN_QUERY = SELECT login FROM emails WHERE login = '${quote_mysql:$1}' \
AND password = MD5('${quote_mysql:$2}')

I have another question: how can I allow only encrypted/authenticated connections?

Thx,
JD