On 15/11/2024 12:25, Luca Bertoncello via Exim-users wrote:
I cannot understand "tainted search query is not properly quoted"...
Wow, that's pretty unreadable just due to the size of it. Does mysql not have stored-procedures? Anyway, I spot (at least) a bare "$message_headers" in there. An attacker could very simply send you a custom header with some SQL syntax in, causing your DB access to do something you did not want to permit. Like deleting all your data. You need to quote such items, which is why Exim is warning you about it. -- Cheers, Jeremy -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## [email protected] ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
