[Mimedefang] Re: sql integration of quarentine and others

Dave O'Neill dmo at roaringpenguin.com
Wed Apr 4 12:38:39 EDT 2007


On Wed, Apr 04, 2007 at 09:27:18AM -0400, Jeff Rife wrote:

> If you truly worry about SQL injection from the contents of a full e-
> mail message (which is highly unlikely), just use prepared statements:

A successful _accidental_ SQL injection from an email is unlikely, but
query failures due to SQL metacharacters in an email will be a common
problem for you.  People use apostrophes and brackets and other
SQL-breakers in email quite often.  And, there's always the chance of a
deliberate attack against your system by someone looking for holes of
this sort.

As a general rule, you should use placeholders for any input provided to
an SQL query.  You don't need to go the full route of preparing a
statement handle as in your example:

> $sth = $dbh->prepare(qq{
> INSERT INTO mail (ip_address, mail_message)
> VALUES (?, ?)
> });
> 
> $sth->execute($RelayAddr, $msg);

Instead, you can provide extra arguments to do(), such as:

  $dbh->do(q{INSERT INTO mail (ip_address, mail_message) VALUES (?,?)},
         undef,
         $RelayAddr,
         $msg);

Cheers,
Dave
-- 
Dave O'Neill <dmo at roaringpenguin.com>    Roaring Penguin Software Inc.
+1 (613) 231-6599                        http://www.roaringpenguin.com/
For CanIt technical support, please mail: support at roaringpenguin.com



More information about the MIMEDefang mailing list