[Mimedefang] Re: sql integration of quarentine and others
Dave O'Neill
dmo at roaringpenguin.com
Wed Apr 4 12:38:39 EDT 2007
On Wed, Apr 04, 2007 at 09:27:18AM -0400, Jeff Rife wrote:
> If you truly worry about SQL injection from the contents of a full e-
> mail message (which is highly unlikely), just use prepared statements:
A successful _accidental_ SQL injection from an email is unlikely, but
query failures due to SQL metacharacters in an email will be a common
problem for you. People use apostrophes and brackets and other
SQL-breakers in email quite often. And, there's always the chance of a
deliberate attack against your system by someone looking for holes of
this sort.
As a general rule, you should use placeholders for any input provided to
an SQL query. You don't need to go the full route of preparing a
statement handle as in your example:
> $sth = $dbh->prepare(qq{
> INSERT INTO mail (ip_address, mail_message)
> VALUES (?, ?)
> });
>
> $sth->execute($RelayAddr, $msg);
Instead, you can provide extra arguments to do(), such as:
$dbh->do(q{INSERT INTO mail (ip_address, mail_message) VALUES (?,?)},
undef,
$RelayAddr,
$msg);
Cheers,
Dave
--
Dave O'Neill <dmo at roaringpenguin.com> Roaring Penguin Software Inc.
+1 (613) 231-6599 http://www.roaringpenguin.com/
For CanIt technical support, please mail: support at roaringpenguin.com
More information about the MIMEDefang
mailing list