On Thu 21 Sep 2006 19:03, Michael Griego wrote:
There is a risk with this patch of running queries where the WHERE clause becomes WHERE UserName = ''... Which, I guess isn't really all that bad...
Thats exactly what _I_ wanted to happen.. As far as SQL is concerned a zero length username is perfectly legal and could infact still return a password etc even without any of the fancy stored procedure tricks I am using...
I'm not sure I have any real problem with it, but we'll probably want to make the default sql_user_name configuration item %{User-Name:- DEFAULT} if we make the change this way.
It doesn't really bother me, but this is different behaviour to other modules... Why rewrite it at all? -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc