On 21/04/2008, Alessandro Vesely <[EMAIL PROTECTED]> wrote:
>
> To recap,
> Matt Comer wrote: (Sat, 15 Mar 2008 09:04:20 -0400 (EDT))
>
> > <quote who="Alessandro Vesely">
> >> Authmysql needs to be revamped. I'd propose to accept any local-part
> >> that can be the target of an RCPT TO command
It may be worth using the MySQL function mysql_real_escape_string() which
should handle anything that could cause problems. Programmatically this
would be much less effort than using prepared statements which require a
considerable amount of coding.
Incidentally user names including apostrophes are quite common and were
my baptism of fire on SQL injection. Consider the publisher O'Reilly for
example. I've had some fun typing Irish surnames into Web database
based applications.
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
courier-users mailing list
[email protected]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
