[Dovecot] How to prevent SQL injection
Jochen Schulz
ml at well-adjusted.de
Tue Jan 30 13:39:32 UTC 2007
Jakob Hirsch:
> Quoting Jochen Schulz:
>
>> on my way home today I thought a little bit about my setup which
>> involves user and password lookups in an SQL database (Postgres). I
>> asked myself whether I need to do anything to prevent SQL injection via
>> forged user or domainnames.
>
> RTSL! Every sql driver has its own escape function, which is called for
> every %var string.
>
> This was discussed before:
> http://dovecot.org/list/dovecot/2006-November/017610.html
D'ouh! I even remember having read that a while ago before I enabled SQL
authentication. Thanks for me reminding me that all is well. :)
J.
--
Americans have a better life.
[Agree] [Disagree]
<http://www.slowlydownward.com/NODATA/data_enter2.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://dovecot.org/pipermail/dovecot/attachments/20070130/17d618e2/attachment.pgp
More information about the dovecot
mailing list