[Dovecot] How to prevent SQL injection
jh at plonk.de
Tue Jan 30 12:28:40 UTC 2007
Quoting Timo Sirainen:
> Last I checked MySQL library didn't support prepared statements at all.
> Maybe v5 finally does?
mysql's C API does it since 4.1 (see
sqq.). In theory, it should make things faster, but last time I check
(with 5.0, AFAIR), it didn't give any performance advantage (was even
slightly slower), but that may heavily depend on the environment, flags etc.
The nice thing about prepared statements is, IMO, that you don't have to
mess around with the query string.
More information about the dovecot