On 22 Aug 2021, at 19:49, Evgeniy Berdnikov via Exim-users <exim-users@???> wrote: > No. These SQL queries are different: first has NO quotes around value in
> domain=.. predicate, but the second have ones. Debug output confirms it.
>
> Shell expands string like 'xxx'a.b.c'yyy' to 'xxxabcyyy'.
> You should do quoting carefully.
You should also use the quote_mysql expansion function to make sure you’re not exposing yourself to any SQL injection attacks.
SELECT domain FROM eximdomains WHERE active=1 AND domain=${quote_mysql:$domain}
Without this as a guard you are (a) depending on shell quote/variable expansion on debugging, and (b) potentially exposed to arbitrary code execution via SQL injection inside Exim itself.
