On Sun, 6 Jan 2002, Sam Varshavchik wrote: > No, not for passwords. Only for userids, with some authentication > modules. I don't recall offhand the nitty-gritty details, but I think > that its feasible that authmysql and authpgsql might throw out quotes > and apostrophes in the userid string, since that has to form an sql > statement, and apostrophes or quotes could be used to inject hostile > SQL.
mysql (recent versions) provides an escape function that would allow quotes to be used in a field. Heck, it might even be in older versions - I'm too used to the perl DBI interface that does it for me. -- Sapere aude My mind not only wanders, it sometimes leaves completely. Never attribute to malice that which can be adequately explained by stupidity. _______________________________________________ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
