quote strings passed to sql
Steffen Kaiser
skdovecot at smail.inf.fh-brs.de
Tue Feb 3 07:20:27 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Mon, 2 Feb 2015, Juan Bernhard wrote:
> Hello list. I'm thinking to migrate the hole user db from system users
> to mysql. I already did it in a test environment, but something is
> annoying my OCD... I don't quote the variables username and password
> sent to the mysql server. I know, the mysql user that dovecot uses only
> has select rights, but it stills bother me, because its possible to do
> an useless sql code injection.
>
> Is there a way to quote that? Something like exim's quote_mysql?
http://dovecot.org/list/dovecot/2006-November/017610.html
- --
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEVAwUBVNB2u3z1H7kL/d9rAQLlRgf9F8Uxvw1aF9eDTdjdhFtlst8rFADqQGlc
8X3v0GhTXMlTMzyzH3upATYgW9LV/okwX5WgS1ns/aVlna6s54vOLxUIbBA+Wqo1
ATIMQh5akOWa1ppAw3hV/1X4Lwn4joV6vRlMP2I8SW7RoxST7s1rywIq2YFbYD/f
rl6zS5j/3vayeUu9JgCxuRZiD5kQnfLL0OhUIczB7P+K8933qZhZa6TFdUiZk1nl
+gJk9chVgAJ4I3RDlOe3/ULK1Sx1QOTht7uuxgZEM//XXBBkL2foPgyKZ9dnXK6B
javG7kq60Zzt+qRl4CcEnC7gdbYoEhVm2gYwpwWtFQCKYtE14pTnPw==
=QCC5
-----END PGP SIGNATURE-----
More information about the dovecot
mailing list