Re: [exim] mysql authentication problem...

[John Doe]

From: Mike Cardwell <exim-us...@lists.grepular.com>
> You're open to SQL injection attacks as you haven't escaped apostrophes 
> in the login name or password. For example:
> 
> login = '$2'
> 
> Should be:
> 
> login = '${quote_mysql:$2}'

Thx for the fix!  So:

AUTH_PLAIN_QUERY = SELECT login FROM emails WHERE login = '${quote_mysql:$2}' \
 AND password = MD5('${quote_mysql:$3}')
AUTH_LOGIN_QUERY = SELECT login FROM emails WHERE login = '${quote_mysql:$1}' \
 AND password = MD5('${quote_mysql:$2}')

I have another question: how can I allow only encrypted/authenticated 
connections?

Thx,
JD


      

-- 
## List details at http://lists.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/