quote strings passed to sql

Juan Bernhard juan at inti.gob.ar
Mon Feb 2 17:17:09 UTC 2015



> Am 02.02.2015 um 18:07 schrieb Juan Bernhard:
>> Hello list. I'm thinking to migrate the hole user db from system users
>> to mysql. I already did it in a test environment, but something is
>> annoying my OCD... I don't quote the variables username and password
>> sent to the mysql server. I know, the mysql user that dovecot uses only
>> has select rights, but it stills bother me, because its possible to do
>> an useless sql code injection.
>>
>> Is there a way to quote that? Something like exim's quote_mysql?
> 
> there is not much to quote when dovecot accepts only a limited set of
> chars at all and otherwise don't send any query
> 
> auth_username_chars =
> abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@%
> auth_username_translation =
> %@AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz
> 
The password is not subjet to this limitation. Im not an sql expert, i
still *think* that there is nothing to worry about... but im not 100% sure.


More information about the dovecot mailing list