On Tue, 4 May 2010, Chris Wilson wrote: > Your query will return no rows (empty string) for both username and > password if the user does not exist. That's probably why this > combination is allowed.
Sorry, I was slightly wrong. If the user doesn't exist, Exim compares the empty string (returned from the database) with the supplied username. If the supplied username is empty, this test passes. If the supplied password is also empty then similarly, that test passes. Cheers, Chris. -- _ ___ __ _ / __/ / ,__(_)_ | Chris Wilson <0000 at qwirx.com> - Cambs UK | / (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Perl/SQL/HTML Developer | \ _/_/_/_//_/___/ | We are GNU-free your mind-and your software | -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
