30 Jan
2007
30 Jan
'07
3:39 p.m.
Jakob Hirsch:
Quoting Jochen Schulz:
on my way home today I thought a little bit about my setup which involves user and password lookups in an SQL database (Postgres). I asked myself whether I need to do anything to prevent SQL injection via forged user or domainnames.
RTSL! Every sql driver has its own escape function, which is called for every %var string.
This was discussed before: http://dovecot.org/list/dovecot/2006-November/017610.html
D'ouh! I even remember having read that a while ago before I enabled SQL authentication. Thanks for me reminding me that all is well. :)
J.
Americans have a better life. [Agree] [Disagree] http://www.slowlydownward.com/NODATA/data_enter2.html