Clifton, > > $sql_select_policy = > > "SELECT *,users.id FROM users LEFT JOIN policy ON > > users.policy_id=policy.id". " WHERE users.email IN (%k) OR alias.goto > > LIKE concat('%', %a, '%')". " ORDER BY users.priority DESC";
> Without digging into it would *seem* like allowing that would risk > having email addresses with single quotes (') injected into them for an > SQL injection attack. You are wrong, the %a and %k are transformed into a '?', and actual values are provided by binding arguments. See man DBI. Mark ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/