Gordon Messmer wrote: > Alessandro Vesely wrote: >> I'd use mysql_real_escape_string(), if available. See >> http://bugs.mysql.com/bug.php?id=10214 > > No, you should never use any escape function on user input if it can be > helped. Prepared statements are the most convenient, fastest, and most > secure way to make queries that include user input: > http://dev.mysql.com/doc/refman/5.0/en/c-api-prepared-statements.html
Indeed, to use prepared statements would be itself a good reason to review that code. It was added in MySQL 4.1.2, the auth code still has a conditional part for older MySQL versions. Should I assume we should continue supporting them, and use that statement only for recent versions? > I can barely make out what's going on in the mysql auth driver, but it > doesn't look like Sam's work. Perhaps he doesn't use MySQL. I can start working on that patch next week, as soon as I get back home. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users