On Fri, Jul 07, 2006 at 03:48:00PM +0200, Marc Haber wrote:
> From what I understand, the correct way would be to use
> PQescapeStringConn, but that function needs an established connection,
> and exim performs string escape "early", way before the actual
> connection is established.
I just downloaded the code and looked. The code never looks or checks
the encoding of the database. This is bad from a security point of
view because that means you have no idea how your queries are going to
be interpreted.
I'd suggest adding a PQsetClientEncoding(conn, "Latin1") right after
you establish a connection. I'm not sure if Exim has any kind of
declaration about what encoding strings have internally. You could use
UTF-8 but then postgres would complain if you pass any strings that
arn't valid UTF-8. They may or may not be desirable.
SQL_ASCII may also be an option (assign no special meaning to
characters at all), but I'm less sure of that. Can email address
contain multibyte characters? I didn't think so... What about the
configuration file?
Hope this helps,
--
Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/
> From each according to his ability. To each according to his ability to litigate.