On Wed, 2010-03-10 at 17:03 +0000, Alain Williams wrote: > > The problem with doing that is that 1) it's not normally necessary and > > more importantly 2) doing that makes any potential SQL injection > > security holes a lot easier to exploit. So I'm not all that eager in > > adding such code, especially if it can be worked around another way.. > > CLIENT_MULTI_STATEMENTS allows multiple statements in one call (you separate > by ','). > CLIENT_MULTI_RESULTS does not imply CLIENT_MULTI_STATEMENTS. > Is this what you were concerned about ?
Yeah, I mixed up MULTI_STATEMENTS and MULTI_RESULTS. So I can enable the MULTI_RESULTS I guess.. I committed your patch, but with some changes. In error conditions it would have leaked memory. http://hg.dovecot.org/dovecot-2.0/rev/612db456c090 > That is not how I store passwords - I keep them as DIGEST-MD5, this is: > md5('username:domain:password') > So I want %o to be that value. Squirrelmail should be able to deduce that from > the line in the dovecot-sql.conf: > default_pass_scheme="DIGEST-MD5" Well, yeah.. That would be possible to implement. But not a very good idea to waste everyone's CPU by calculating that checksum for each lookup, when you're the only one using it. So it should be a var-expand modified instead of variable, so you could then use e.g. %Sw that expands to %w through default_pass_scheme (and only when it's used). The problem is, var-expand code doesn't currently support adding more modifiers. So its API would need to be changed. > I am trying to find a definition of the API to plugins, ... There are many kinds of plugins, but none really seem to fit what you wanted to do below. > if the SQL stored procedure can return arbitrary variables that can then be > used > by PHP plugins then I can do things like issuing a warning about the password > about to expire, number of failed login attempts since the last success, ... > Ie all sorts of things that the authentication stored procedures could store > and manage. One possibility would be to return 'reason' string from password_query for failures, which contains all of the information you want to know. And if you don't want it to be visible to non-webmail clients, you could return it only when '%r'='127.0.0.1'.
signature.asc
Description: This is a digitally signed message part
