On Wed, 2010-03-10 at 17:03 +0000, Alain Williams wrote:
The problem with doing that is that 1) it's not normally necessary and more importantly 2) doing that makes any potential SQL injection security holes a lot easier to exploit. So I'm not all that eager in adding such code, especially if it can be worked around another way..
CLIENT_MULTI_STATEMENTS allows multiple statements in one call (you separate by ','). CLIENT_MULTI_RESULTS does not imply CLIENT_MULTI_STATEMENTS. Is this what you were concerned about ?
Yeah, I mixed up MULTI_STATEMENTS and MULTI_RESULTS. So I can enable the MULTI_RESULTS I guess..
I committed your patch, but with some changes. In error conditions it would have leaked memory. http://hg.dovecot.org/dovecot-2.0/rev/612db456c090
That is not how I store passwords - I keep them as DIGEST-MD5, this is: md5('username:domain:password') So I want %o to be that value. Squirrelmail should be able to deduce that from the line in the dovecot-sql.conf: default_pass_scheme="DIGEST-MD5"
Well, yeah.. That would be possible to implement. But not a very good idea to waste everyone's CPU by calculating that checksum for each lookup, when you're the only one using it. So it should be a var-expand modified instead of variable, so you could then use e.g. %Sw that expands to %w through default_pass_scheme (and only when it's used).
The problem is, var-expand code doesn't currently support adding more modifiers. So its API would need to be changed.
I am trying to find a definition of the API to plugins, ...
There are many kinds of plugins, but none really seem to fit what you wanted to do below.
if the SQL stored procedure can return arbitrary variables that can then be used by PHP plugins then I can do things like issuing a warning about the password about to expire, number of failed login attempts since the last success, ... Ie all sorts of things that the authentication stored procedures could store and manage.
One possibility would be to return 'reason' string from password_query for failures, which contains all of the information you want to know. And if you don't want it to be visible to non-webmail clients, you could return it only when '%r'='127.0.0.1'.