On Tue, 4 May 2010, Chris Wilson wrote:
> Your query will return no rows (empty string) for both username and
> password if the user does not exist. That's probably why this
> combination is allowed.
Sorry, I was slightly wrong. If the user doesn't exist, Exim compares the
empty string (returned from the database) with the supplied username.
If the supplied username is empty, this test passes. If the supplied
password is also empty then similarly, that test passes.
Cheers, Chris.
--
_ ___ __ _
/ __/ / ,__(_)_ | Chris Wilson <0000 at qwirx.com> - Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Perl/SQL/HTML Developer |
\ _/_/_/_//_/___/ | We are GNU-free your mind-and your software |