Re: [courier-users] Re: Does Courier Imap or Courier Pop handle ' or " strangely in passwords? - Duncan Hill - net.sourceforge.lists.courier-users

5 messages in net.sourceforge.lists.courier-usersRe: [courier-users] Re: Does Courier ...

From	Sent On	Attachments
David Ehle	Jan 6, 2002 5:59 pm
Phil Brutsche	Jan 6, 2002 7:24 pm
Sam Varshavchik	Jan 6, 2002 7:48 pm
Duncan Hill	Jan 6, 2002 8:00 pm
David Ehle	Jan 6, 2002 8:51 pm

Subject:	Re: [courier-users] Re: Does Courier Imap or Courier Pop handle ' or " strangely in passwords?
From:	Duncan Hill (dhi...@cricalix.net)
Date:	Jan 6, 2002 8:00:40 pm
List:	net.sourceforge.lists.courier-users

On Sun, 6 Jan 2002, Sam Varshavchik wrote:

No, not for passwords. Only for userids, with some authentication modules. I don't recall offhand the nitty-gritty details, but I think that its feasible that authmysql and authpgsql might throw out quotes and apostrophes in the userid string, since that has to form an sql statement, and apostrophes or quotes could be used to inject hostile SQL.

mysql (recent versions) provides an escape function that would allow quotes to be used in a field. Heck, it might even be in older versions - I'm too used to the perl DBI interface that does it for me.

Sapere aude My mind not only wanders, it sometimes leaves completely. Never attribute to malice that which can be adequately explained by stupidity.

	Start a set with this search
	Include this search in one of my sets
	Exclude this search from one of my sets