[Dovecot] How to prevent SQL injection
Jürgen Herz
juergen at jherz.redirectme.net
Tue Jan 30 11:12:55 UTC 2007
Hi Jochen,
> In the wiki I didn't find anything specific, only
> http://wiki.dovecot.org/Variables which mentions that there is the %E
> modifier which escapes single quites and backslashes. This appears to be
> a good idea but I am asking myself whether I need to do this since it is
> not mentioned anywhere. Is anybody able to comment on this?
Escaping is a nice mitigation.
But the method of choice ist are prepared statements (either in stored
procedures or in the application). This is not only more secure than
dynamically building SQL statements but also a bit faster.
In fact it can accelerate the app even more since no escaping is needed
then.
Hopefully Dovecot is already doing it that way.
Jürgen
More information about the dovecot
mailing list