[Dovecot] How to prevent SQL injection
Jakob Hirsch
jh at plonk.de
Mon Jan 29 22:48:20 UTC 2007
Quoting Jochen Schulz:
> on my way home today I thought a little bit about my setup which
> involves user and password lookups in an SQL database (Postgres). I
> asked myself whether I need to do anything to prevent SQL injection via
> forged user or domainnames.
RTSL! Every sql driver has its own escape function, which is called for
every %var string.
This was discussed before:
http://dovecot.org/list/dovecot/2006-November/017610.html
More information about the dovecot
mailing list