Am 23.05.2013 13:45, schrieb Jasen Betts:
On 2013-05-21, Cyborg <[email protected]> wrote:
Am 21.05.2013 10:53, schrieb Fabien Wang:
just change the match from direct match to a indirect one:
server_condition = "${if and { \
{!eq{$1}{}} \
{!eq{$2}{}} \
{eq{1}{${lookup mysql{SELECT '1' FROM mailboxes WHERE
(domain =\
'${domain:$1}' \
AND password = sha1('$2') AND username =
'${local_part:$1}')}{$value}fail}} }} {yes}{no}}"
That's a recipe for SQL injection,
because the mysqlquote() is missing, but that was already mentioned by
someone else.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
