On Thu, Mar 04, 2010 at 10:41:05AM -0800, Phil Pennock wrote:
> On 2010-03-04 at 15:15 +0000, Alain Williams wrote:
> > I am doing a mysql lookup something like this:
> >
> > ${lookup mysql{SELECT home, uid, gid FROM users WHERE userid = '$local_part' and domain = '$domain'}}
>
> You're missing the use of the quote_mysql expansion operator, to protect
> you from SQL injection attacks in the local-part -- do remember that
> this is a perfectly valid email address, designed to reach me (by
> configuration, not catchall):
Yes: that is in my 'production' version - wasn't in the test.
> "X'); DROP TABLE domains; DROP TABLE passwords; --"@???
>
> So that should be:
>
> ${lookup mysql{SELECT home, uid, gid FROM users WHERE userid = '${quote_mysql:$local_part}' and domain = '${quote_mysql:$domain}'}}
>
> > These are different databases with a different username/password. How to handle in exim:
> You might do something hacky like say "if the host part is empty (ie, it
> starts with a /) then parse as key=value in each / section". That would
> let you expand the syntax to supply as much or as little as wanted and
> supply alternatives too, so:
>
> ${lookup mysql{servers=/group=db1; SELECT ...}}
> Another option, with less coding, is to set up CNAMEs for localhost and
> use a different one for each DB. Hacky, but gets you something quickly.
Yes I tried that, didn't work as I wanted it, exim understands 'localhost' specially,
and it means hacking /etc/hosts.
--
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256
http://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information:
http://www.phcomp.co.uk/contact.php
Past chairman of UKUUG:
http://www.ukuug.org/
#include <std_disclaimer.h>
