[Dovecot] How to prevent SQL injection
Jürgen Herz
juergen at jherz.redirectme.net
Tue Jan 30 12:51:14 UTC 2007
Timo Sirainen wrote:
>> Escaping is a nice mitigation.
>> But the method of choice ist are prepared statements (either in stored
>> procedures or in the application). This is not only more secure than
>> dynamically building SQL statements but also a bit faster.
>> In fact it can accelerate the app even more since no escaping is needed
>> then.
>>
>> Hopefully Dovecot is already doing it that way.
>
> Last I checked MySQL library didn't support prepared statements at all.
> Maybe v5 finally does?
MySQL 5 does but 4.1 already does also.
> Anyway, other reasons why Dovecot doesn't use prepared statements is
> because it limits what you can do with the SQL queries. Some people
> really are using for example dynamic table names such as users_%s.
Yes, prepared statements are a little more complicated in general and
they might even a bit more if they're to be constructed dynamically. But
it can be done without problems.
However, there might security implications if the field name itself is
composed of user input.
> Maybe I'll add support for prepared statements some day, and then make
> it optional to use in the SQL queries. I don't think it'll give that big
> of a performance increment though, compared to what else is needed to be
> done in the authentication.
Surely the improved performance doesn't carry weight in the
authentication scenario. What I wrote was just general and when a
statement is reused often.
Jürgen
More information about the dovecot
mailing list