Clifton,
> > $sql_select_policy =
> > "SELECT *,users.id FROM users LEFT JOIN policy ON
> > users.policy_id=policy.id". " WHERE users.email IN (%k) OR alias.goto
> > LIKE concat('%', %a, '%')". " ORDER BY users.priority DESC";
> Without digging into it would *seem* like allowing that would risk
> having email addresses with single quotes (') injected into them for an
> SQL injection attack.
You are wrong, the %a and %k are transformed into a '?',
and actual values are provided by binding arguments.
See man DBI.
Mark
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
