16 Nov
2006
16 Nov
'06
10:41 a.m.
On Thu, 16 Nov 2006, Robin Elfrink wrote:
Egbert Jan wrote:
I've taken this even further: I have separate 'users' for postfix, postfixadmin (web frontend for virtual users/domains) and dovecot. Each *might* need specific rights.
Using restricted user rights and chroots and what not does not prevent SQL injection in any way.
Indeed.
But until auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@ is set, and default_pass_scheme won't be PLAIN we are secure against sql injection. Right?
I have also found %E varible - escape '"', "'" and '\' characters by inserting '\' before them, but how can I use it for escape characters from %u?
Best Regards.