Am 23.05.2013 13:45, schrieb Jasen Betts:
> On 2013-05-21, Cyborg <cyborg2@???> wrote:
>> Am 21.05.2013 10:53, schrieb Fabien Wang:
>>
>> just change the match from direct match to a indirect one:
>>
>> server_condition = "${if and { \
>> {!eq{$1}{}} \
>> {!eq{$2}{}} \
>> {eq{1}{${lookup mysql{SELECT '1' FROM mailboxes WHERE (domain =\
>> '${domain:$1}' \
>> AND password = sha1('$2') AND username = '${local_part:$1}')}{$value}fail}} }} {yes}{no}}"
> That's a recipe for SQL injection,
>
>
because the mysqlquote() is missing, but that was already mentioned by
someone else.
