[Dovecot] How to prevent SQL injection

Jakob Hirsch jh at plonk.de
Mon Jan 29 22:48:20 UTC 2007


Quoting Jochen Schulz:

> on my way home today I thought a little bit about my setup which
> involves user and password lookups in an SQL database (Postgres). I
> asked myself whether I need to do anything to prevent SQL injection via
> forged user or domainnames.

RTSL! Every sql driver has its own escape function, which is called for
every %var string.

This was discussed before:
http://dovecot.org/list/dovecot/2006-November/017610.html


More information about the dovecot mailing list