[Dovecot] How to prevent SQL injection

Jochen Schulz ml at well-adjusted.de
Tue Jan 30 13:39:32 UTC 2007


Jakob Hirsch:
> Quoting Jochen Schulz:
> 
>> on my way home today I thought a little bit about my setup which
>> involves user and password lookups in an SQL database (Postgres). I
>> asked myself whether I need to do anything to prevent SQL injection via
>> forged user or domainnames.
> 
> RTSL! Every sql driver has its own escape function, which is called for
> every %var string.
> 
> This was discussed before:
> http://dovecot.org/list/dovecot/2006-November/017610.html

D'ouh! I even remember having read that a while ago before I enabled SQL
authentication. Thanks for me reminding me that all is well. :)

J.
-- 
Americans have a better life.
[Agree]   [Disagree]
                 <http://www.slowlydownward.com/NODATA/data_enter2.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://dovecot.org/pipermail/dovecot/attachments/20070130/17d618e2/attachment.pgp 


More information about the dovecot mailing list