Re: [exim] Connecting to mysql

Top Page
Delete this message
Reply to this message
Author: Alain Williams
Date:  
To: exim-users
Subject: Re: [exim] Connecting to mysql
On Thu, Mar 04, 2010 at 10:41:05AM -0800, Phil Pennock wrote:
> On 2010-03-04 at 15:15 +0000, Alain Williams wrote:
> > I am doing a mysql lookup something like this:
> >
> >     ${lookup mysql{SELECT home, uid, gid FROM users WHERE userid = '$local_part' and domain = '$domain'}}

>
> You're missing the use of the quote_mysql expansion operator, to protect
> you from SQL injection attacks in the local-part -- do remember that
> this is a perfectly valid email address, designed to reach me (by
> configuration, not catchall):


Yes: that is in my 'production' version - wasn't in the test.

> "X'); DROP TABLE domains; DROP TABLE passwords; --"@???
>
> So that should be:
>
> ${lookup mysql{SELECT home, uid, gid FROM users WHERE userid = '${quote_mysql:$local_part}' and domain = '${quote_mysql:$domain}'}}
>
> > These are different databases with a different username/password. How to handle in exim:


> You might do something hacky like say "if the host part is empty (ie, it
> starts with a /) then parse as key=value in each / section". That would
> let you expand the syntax to supply as much or as little as wanted and
> supply alternatives too, so:
>
> ${lookup mysql{servers=/group=db1; SELECT ...}}




> Another option, with less coding, is to set up CNAMEs for localhost and
> use a different one for each DB. Hacky, but gets you something quickly.


Yes I tried that, didn't work as I wanted it, exim understands 'localhost' specially,
and it means hacking /etc/hosts.

--
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256 http://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php
Past chairman of UKUUG: http://www.ukuug.org/
#include <std_disclaimer.h>