It should be up to authmysql to escape its input in order to prevent SQL injection. I doubt escaping differs much between different rdbms, but authmysql only supports mysql so that's not an issue. Postfix is using the same table and does not have a problem with apostrophes. I'll just add that hacky workaround for now.
Martin On Fri, 14 Mar 2008 16:22:49 +0100, Matt Comer <[EMAIL PROTECTED]> wrote: > > Apostrophes in SQL are a no-no and can be used for SQL injection attacks. > > Example: someone sends an email to your server at > > user';delete * from users; > > Voiala, there goes your users table! I'm not surprised to see that > authmysql is stripping these characters. > > Escaping is an option. However, not all RDBMSs escape such especial > characters the same way, so that can be problematic. > > Matt > > <quote who="Martin Strand"> >> I've got usernames with apostrophes (don't ask me why, people are >> strange) >> but they don't seem to work well with authmysql - the apostrophes are >> replaced with spaces in the mysql query: >> >> imapd: Connection, ip=[::ffff:127.0.0.1] >> authd: received auth request, service=imap, authtype=login >> authd: authmysql: trying this module >> authd: SQL query: SELECT email, "", clear, uid, gid, home, maildir, >> quota, >> "", "" FROM users WHERE email = "info [EMAIL PROTECTED]" >> authd: zero rows returned >> authd: no password available to compare >> authd: authmysql: REJECT - try next module >> authd: FAIL, all modules rejected >> imapd: LOGIN FAILED, user=info'[EMAIL PROTECTED], ip=[::ffff:127.0.0.1] >> imapd: Disconnected, ip=[::ffff:127.0.0.1], time=5 >> >> Is there anything I can do to prevent this? Are there other characters >> that don't work with authmysql? >> I should mention that I'm using the rather old courier-authlib-0.58 and >> courier-imap-4.1.0. >> >> >> One possible workaround would be: >> >> MYSQL_LOGIN_FIELD replace(email, "'", " ") >> >> but that feels rather "hacky" so I'd rather not do it. >> >> Thanks, >> Martin ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
