quote strings passed to sql

Reindl Harald h.reindl at thelounge.net
Mon Feb 2 18:18:47 UTC 2015


Am 02.02.2015 um 18:17 schrieb Juan Bernhard:
>> Am 02.02.2015 um 18:07 schrieb Juan Bernhard:
>>> Hello list. I'm thinking to migrate the hole user db from system users
>>> to mysql. I already did it in a test environment, but something is
>>> annoying my OCD... I don't quote the variables username and password
>>> sent to the mysql server. I know, the mysql user that dovecot uses only
>>> has select rights, but it stills bother me, because its possible to do
>>> an useless sql code injection.
>>>
>>> Is there a way to quote that? Something like exim's quote_mysql?
>>
>> there is not much to quote when dovecot accepts only a limited set of
>> chars at all and otherwise don't send any query
>>
>> auth_username_chars =
>> abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@%
>> auth_username_translation =
>> %@AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz
>>
> The password is not subjet to this limitation. Im not an sql expert, i
> still *think* that there is nothing to worry about... but im not 100% sure

did you *test* it or do you just assume?
who say something like "quote_mysql" is needed at all?

postfix also don't need such a function
http://www.postfix.org/mysql_table.5.html

SELECT [select_field] FROM [table] WHERE [where_field] = '%s' 
[additional_conditions]

The '%s' in the WHERE  clause  expands  to  the  escaped  search string.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20150202/5650c8a1/attachment.sig>


More information about the dovecot mailing list