Am 02.02.2015 um 18:17 schrieb Juan Bernhard:
Am 02.02.2015 um 18:07 schrieb Juan Bernhard:
Hello list. I'm thinking to migrate the hole user db from system users to mysql. I already did it in a test environment, but something is annoying my OCD... I don't quote the variables username and password sent to the mysql server. I know, the mysql user that dovecot uses only has select rights, but it stills bother me, because its possible to do an useless sql code injection.
Is there a way to quote that? Something like exim's quote_mysql?
there is not much to quote when dovecot accepts only a limited set of chars at all and otherwise don't send any query
auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@% auth_username_translation = %@AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz
The password is not subjet to this limitation. Im not an sql expert, i still *think* that there is nothing to worry about... but im not 100% sure
did you *test* it or do you just assume? who say something like "quote_mysql" is needed at all?
postfix also don't need such a function http://www.postfix.org/mysql_table.5.html
SELECT [select_field] FROM [table] WHERE [where_field] = '%s' [additional_conditions]
The '%s' in the WHERE clause expands to the escaped search string.