Matt Comer wrote: > I agree, but with one possible caveat: most RDBMSs allow you to configure > the quoting behavior away from the default if you want. I am not a mysql > expert, but if mysql allows the quote character (default "\" for mysql) > then authmysql should also allow this to be configurable.
Good thought! As a security enhancement, one can set an SQL_MODE of NO_BACKSLASH_ESCAPES. Thereafter backslash escaping is not possible. Otherwise, injections can be carried out using sequences crafted so that after escaping they become valid multibyte characters. See http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string I'd use mysql_real_escape_string(), if available. See http://bugs.mysql.com/bug.php?id=10214 > <quote who="Alessandro Vesely"> >> Authmysql needs to be revamped. I'd propose to accept any local-part >> that can be the target of an RCPT TO command (also for imap/pop >> logins.) Apparently, that implies not only allowing single quotes, but >> also quoted string. Thus, one could patch authmysqllib.c so that, >> e.g., <"Roger's \"rabbit\""@example.com> would result in setting the >> local part as >> >> Roger\'s "rabbit" >> >> Would that be correct? Would it break anything? ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
