Re: [AMaViS-user] $sql_select_policy help

Mon, 18 Jun 2007 10:55:49 -0700 

On Mon, Jun 18, 2007 at 04:14:20PM +0200, Mark Martinec wrote:
> Daniel,
> 
> > I'm tuning up my $sql_select_policy in order to improve functionality
> > of amavis on my mail server and I'm struggling with something which
> > I'd imagine would be simple.  I need to extend this query as follows:
> >
> > " ... OR alias.goto LIKE ('%RECIPIENT%')"
> >
> > where RECIPIENT is the individual recipient address for the message
> > in question and the % signs are wrapping it in order to treat it as a
> > needle in a haystack.  I need the same recipient address which
> > appears in the first set of single quotes when the %k macro is
> > expanded in the typical policy lookup query (per the various README
> > examples)...
> 
> Here below is a patch to 2.5.1 to provide a placeholder %a, which
> is much like the %k, except that it only expands to the exact mail address,
> the same as the first entry provided by the %k expansion.

> 
> It will enable you to do what you want, for example:
> 
> $sql_select_policy =
> "SELECT *,users.id FROM users LEFT JOIN policy ON users.policy_id=policy.id".
>   " WHERE users.email IN (%k) OR alias.goto LIKE concat('%', %a, '%')".
>   " ORDER BY users.priority DESC";
> 
> although I'm not sure if this is really what you want: letting a
> world-provided string be interpreted as a SQL pattern looks
> like asking for trouble.

  Without digging into it would *seem* like allowing that would risk
having email addresses with single quotes (') injected into them for an
SQL injection attack.

  -- Clifton

-- 
    Clifton Royston  --  [EMAIL PROTECTED] / [EMAIL PROTECTED]
       President  - I and I Computing * http://www.iandicomputing.com/
 Custom programming, network design, systems and network consulting services

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
AMaViS-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

Reply via email to