On Mon, Jun 18, 2007 at 04:14:20PM +0200, Mark Martinec wrote:
> Daniel,
>
> > I'm tuning up my $sql_select_policy in order to improve functionality
> > of amavis on my mail server and I'm struggling with something which
> > I'd imagine would be simple. I need to extend this query as follows:
> >
> > " ... OR alias.goto LIKE ('%RECIPIENT%')"
> >
> > where RECIPIENT is the individual recipient address for the message
> > in question and the % signs are wrapping it in order to treat it as a
> > needle in a haystack. I need the same recipient address which
> > appears in the first set of single quotes when the %k macro is
> > expanded in the typical policy lookup query (per the various README
> > examples)...
>
> Here below is a patch to 2.5.1 to provide a placeholder %a, which
> is much like the %k, except that it only expands to the exact mail address,
> the same as the first entry provided by the %k expansion.
>
> It will enable you to do what you want, for example:
>
> $sql_select_policy =
> "SELECT *,users.id FROM users LEFT JOIN policy ON users.policy_id=policy.id".
> " WHERE users.email IN (%k) OR alias.goto LIKE concat('%', %a, '%')".
> " ORDER BY users.priority DESC";
>
> although I'm not sure if this is really what you want: letting a
> world-provided string be interpreted as a SQL pattern looks
> like asking for trouble.
Without digging into it would *seem* like allowing that would risk
having email addresses with single quotes (') injected into them for an
SQL injection attack.
-- Clifton
--
Clifton Royston -- [EMAIL PROTECTED] / [EMAIL PROTECTED]
President - I and I Computing * http://www.iandicomputing.com/
Custom programming, network design, systems and network consulting services
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
