30 Jan
2007
30 Jan
'07
1:12 p.m.
Hi Jochen,
In the wiki I didn't find anything specific, only http://wiki.dovecot.org/Variables which mentions that there is the %E modifier which escapes single quites and backslashes. This appears to be a good idea but I am asking myself whether I need to do this since it is not mentioned anywhere. Is anybody able to comment on this?
Escaping is a nice mitigation. But the method of choice ist are prepared statements (either in stored procedures or in the application). This is not only more secure than dynamically building SQL statements but also a bit faster. In fact it can accelerate the app even more since no escaping is needed then.
Hopefully Dovecot is already doing it that way.
Jürgen