Sorry, sent this direct instead of to the list. ---------------------------- Original Message ---------------------------- Subject: Re: [courier-users] authmysql vs apostrophe From: "Matt Comer" <[EMAIL PROTECTED]> Date: Fri, March 14, 2008 11:19 am To: "Martin Strand" <[EMAIL PROTECTED]> --------------------------------------------------------------------------
Apostrophes in SQL are a no-no and can be used for SQL injection attacks. Example: someone sends an email to your server at user';delete * from users; Voiala, there goes your users table! I'm not surprised to see that authmysql is stripping these characters. Escaping is an option. However, not all RDBMSs escape such especial characters the same way, so that can be problematic. Matt <quote who="Martin Strand"> > I've got usernames with apostrophes (don't ask me why, people are strange) > but they don't seem to work well with authmysql - the apostrophes are > replaced with spaces in the mysql query: > > imapd: Connection, ip=[::ffff:127.0.0.1] > authd: received auth request, service=imap, authtype=login > authd: authmysql: trying this module > authd: SQL query: SELECT email, "", clear, uid, gid, home, maildir, quota, > "", "" FROM users WHERE email = "info [EMAIL PROTECTED]" > authd: zero rows returned > authd: no password available to compare > authd: authmysql: REJECT - try next module > authd: FAIL, all modules rejected > imapd: LOGIN FAILED, user=info'[EMAIL PROTECTED], ip=[::ffff:127.0.0.1] > imapd: Disconnected, ip=[::ffff:127.0.0.1], time=5 > > Is there anything I can do to prevent this? Are there other characters > that don't work with authmysql? > I should mention that I'm using the rather old courier-authlib-0.58 and > courier-imap-4.1.0. > > > One possible workaround would be: > > MYSQL_LOGIN_FIELD replace(email, "'", " ") > > but that feels rather "hacky" so I'd rather not do it. > > Thanks, > Martin > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > courier-users mailing list > courier-users@lists.sourceforge.net > Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users > ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
