John Doe wrote:
>> You're open to SQL injection attacks as you haven't escaped apostrophes
>> in the login name or password. For example:
>>
>> login = '$2'
>>
>> Should be:
>>
>> login = '${quote_mysql:$2}'
>
> Thx for the fix! So:
>
> AUTH_PLAIN_QUERY = SELECT login FROM emails WHERE login = '${quote_mysql:$2}' \
> AND password = MD5('${quote_mysql:$3}')
> AUTH_LOGIN_QUERY = SELECT login FROM emails WHERE login = '${quote_mysql:$1}' \
> AND password = MD5('${quote_mysql:$2}')
>
> I have another question: how can I allow only encrypted/authenticated connections?
By specifying this in your authenticator you're saying "Only advertise
authentication as an available option if the connection is already
encrypted" :
server_advertise_condition = ${if def:tls_cipher }
If the client tries to use a feature that hasn't been advertised,
they'll get an error. So as it stands, you shouldn't be able to
authenticate unless the connection is encrypted... Is that not what
you're seeing?
--
Mike Cardwell - IT Consultant and LAMP developer
Cardwell IT Ltd. (UK Reg'd Company #06920226)
http://cardwellit.com/
Technical Blog:
https://secure.grepular.com/blog/
