It should be up to authmysql to escape its input in order to prevent SQL  
injection. I doubt escaping differs much between different rdbms, but  
authmysql only supports mysql so that's not an issue.
Postfix is using the same table and does not have a problem with  
I'll just add that hacky workaround for now.


On Fri, 14 Mar 2008 16:22:49 +0100, Matt Comer <[EMAIL PROTECTED]> wrote:

> Apostrophes in SQL are a no-no and can be used for SQL injection attacks.
> Example: someone sends an email to your server at
> user';delete * from users;
> Voiala, there goes your users table! I'm not surprised to see that
> authmysql is stripping these characters.
> Escaping is an option. However, not all RDBMSs escape such especial
> characters the same way, so that can be problematic.
> Matt
> <quote who="Martin Strand">
>> I've got usernames with apostrophes (don't ask me why, people are  
>> strange)
>> but they don't seem to work well with authmysql - the apostrophes are
>> replaced with spaces in the mysql query:
>> imapd: Connection, ip=[::ffff:]
>> authd: received auth request, service=imap, authtype=login
>> authd: authmysql: trying this module
>> authd: SQL query: SELECT email, "", clear, uid, gid, home, maildir,  
>> quota,
>> "", "" FROM users WHERE email = "info [EMAIL PROTECTED]"
>> authd: zero rows returned
>> authd: no password available to compare
>> authd: authmysql: REJECT - try next module
>> authd: FAIL, all modules rejected
>> imapd: LOGIN FAILED, user=info'[EMAIL PROTECTED], ip=[::ffff:]
>> imapd: Disconnected, ip=[::ffff:], time=5
>> Is there anything I can do to prevent this? Are there other characters
>> that don't work with authmysql?
>> I should mention that I'm using the rather old courier-authlib-0.58 and
>> courier-imap-4.1.0.
>> One possible workaround would be:
>> MYSQL_LOGIN_FIELD  replace(email, "'", " ")
>> but that feels rather "hacky" so I'd rather not do it.
>> Thanks,
>> Martin

This email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
courier-users mailing list

Reply via email to