quote strings passed to sql

Reindl Harald h.reindl at thelounge.net
Mon Feb 2 17:09:29 UTC 2015


Am 02.02.2015 um 18:07 schrieb Juan Bernhard:
> Hello list. I'm thinking to migrate the hole user db from system users
> to mysql. I already did it in a test environment, but something is
> annoying my OCD... I don't quote the variables username and password
> sent to the mysql server. I know, the mysql user that dovecot uses only
> has select rights, but it stills bother me, because its possible to do
> an useless sql code injection.
>
> Is there a way to quote that? Something like exim's quote_mysql?

there is not much to quote when dovecot accepts only a limited set of 
chars at all and otherwise don't send any query

auth_username_chars = 
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@%
auth_username_translation = 
%@AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20150202/ddf75b48/attachment.sig>


More information about the dovecot mailing list