Timo Sirainen wrote:
Escaping is a nice mitigation. But the method of choice ist are prepared statements (either in stored procedures or in the application). This is not only more secure than dynamically building SQL statements but also a bit faster. In fact it can accelerate the app even more since no escaping is needed then.
Hopefully Dovecot is already doing it that way.
Last I checked MySQL library didn't support prepared statements at all. Maybe v5 finally does?
MySQL 5 does but 4.1 already does also.
Anyway, other reasons why Dovecot doesn't use prepared statements is because it limits what you can do with the SQL queries. Some people really are using for example dynamic table names such as users_%s.
Yes, prepared statements are a little more complicated in general and they might even a bit more if they're to be constructed dynamically. But it can be done without problems. However, there might security implications if the field name itself is composed of user input.
Maybe I'll add support for prepared statements some day, and then make it optional to use in the SQL queries. I don't think it'll give that big of a performance increment though, compared to what else is needed to be done in the authentication.
Surely the improved performance doesn't carry weight in the authentication scenario. What I wrote was just general and when a statement is reused often.
Jürgen