Matt Dunford <matt(_at_)stary(_dot_)zoomedia(_dot_)com> writes:
Sounds like it would work (untested, of course!).
:0
* ^Subject:\/.*
| echo $MATCH | match_subj.pl
Since that action doesn't read its stdin (the perl script doesn't
even have access to the stdin of the action itself), the recipe needs
the 'i' flag.
match_subj.pl:
use DBI;
$subject = join("",<STDIN>);
<sigh>
Rather than use a shell and the echo command, why not just grab the value
of MATCH from the environment? That also eliminates the error of not
quoting $MATCH in the echo command.
:0 i
* ^Subject:\/.*
| match_subj.pl
then in match_subj.pl:
$subject = $ENV{MATCH};
$dbh = DBI->connect("DBI:MySql:emails");
$query = DBI->prepare("select * from subjects where subject='$subject'");
$query->execute();
DO NOT INCLUDE UNTRUSTED DATA IN A prepare() CALL! Consider what happens
when someone sends a message with a Subject: of
foo' OR TRUE OR subject = 'bar
Poof, they just dumped the entire table. Several web sites have been
hacked using such techniques; do not let your mail server be the next
one.
The solution is to treat parameters as parameters:
$query = DBI->prepare("select * from subjects where subject = ?");
$query->execute($subject);
Philip Guenther
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail