[Dovecot] How to prevent SQL injection
Jochen Schulz
ml at well-adjusted.de
Mon Jan 29 22:29:10 UTC 2007
Hi,
on my way home today I thought a little bit about my setup which
involves user and password lookups in an SQL database (Postgres). I
asked myself whether I need to do anything to prevent SQL injection via
forged user or domainnames.
In the wiki I didn't find anything specific, only
http://wiki.dovecot.org/Variables which mentions that there is the %E
modifier which escapes single quites and backslashes. This appears to be
a good idea but I am asking myself whether I need to do this since it is
not mentioned anywhere. Is anybody able to comment on this?
And BTW, it appears that one can use several modifiers at once. This is
only implicitly mentioned in the wiki (You can apply modifier*s*), but
it appears to work.
J.
--
Ultimately, the Millenium Dome is a spectacular monument of the
doublethink of our times.
[Agree] [Disagree]
<http://www.slowlydownward.com/NODATA/data_enter2.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://dovecot.org/pipermail/dovecot/attachments/20070129/f4679428/attachment.pgp
More information about the dovecot
mailing list