30 Jan
2007
30 Jan
'07
12:48 a.m.
Quoting Jochen Schulz:
on my way home today I thought a little bit about my setup which involves user and password lookups in an SQL database (Postgres). I asked myself whether I need to do anything to prevent SQL injection via forged user or domainnames.
RTSL! Every sql driver has its own escape function, which is called for every %var string.
This was discussed before: http://dovecot.org/list/dovecot/2006-November/017610.html