[Dovecot] How to prevent SQL injection
Timo Sirainen
tss at iki.fi
Tue Jan 30 11:40:04 UTC 2007
On Tue, 2007-01-30 at 12:12 +0100, Jürgen Herz wrote:
> Hi Jochen,
>
> > In the wiki I didn't find anything specific, only
> > http://wiki.dovecot.org/Variables which mentions that there is the %E
> > modifier which escapes single quites and backslashes. This appears to be
> > a good idea but I am asking myself whether I need to do this since it is
> > not mentioned anywhere. Is anybody able to comment on this?
>
> Escaping is a nice mitigation.
> But the method of choice ist are prepared statements (either in stored
> procedures or in the application). This is not only more secure than
> dynamically building SQL statements but also a bit faster.
> In fact it can accelerate the app even more since no escaping is needed
> then.
>
> Hopefully Dovecot is already doing it that way.
Last I checked MySQL library didn't support prepared statements at all.
Maybe v5 finally does?
Anyway, other reasons why Dovecot doesn't use prepared statements is
because it limits what you can do with the SQL queries. Some people
really are using for example dynamic table names such as users_%s.
Maybe I'll add support for prepared statements some day, and then make
it optional to use in the SQL queries. I don't think it'll give that big
of a performance increment though, compared to what else is needed to be
done in the authentication.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20070130/2bf9153a/attachment.pgp
More information about the dovecot
mailing list