[Dovecot] How to prevent SQL injection

Jakob Hirsch jh at plonk.de
Tue Jan 30 12:28:40 UTC 2007


Quoting Timo Sirainen:

> Last I checked MySQL library didn't support prepared statements at all.
> Maybe v5 finally does?

mysql's C API does it since 4.1 (see
http://dev.mysql.com/doc/refman/4.1/en/c-api-prepared-statements.html et
sqq.). In theory, it should make things faster, but last time I check
(with 5.0, AFAIR), it didn't give any performance advantage (was even
slightly slower), but that may heavily depend on the environment, flags etc.
The nice thing about prepared statements is, IMO, that you don't have to
mess around with the query string.




More information about the dovecot mailing list