SQL escaping

Arran Cudbard-Bell a.cudbardb at freeradius.org
Wed Sep 19 19:13:33 CEST 2012


> 
> 
> update control {
>  Tmp-String-0 := "table1"
> }
> update control {
>  Tmp-Integer-0 := "%{sql:select * from %{control:Tmp-String-0} ...}"
> }
> 
> Does anyone have any insight into how to go about this?

I guess you could have a special xlat function that does double expansion... That's what you really want here, it's not something specific to the sql module.

update control {
	Tmp-String-2 := "%{eval:%%{sql:SELECT * FROM %{control:Tmp-String-0} WHERE username='%%{User-Name}'}}"
}

That'd let you do what you wanted right?

There might already be one buried in the depths of the server somewhere.

> In particular, I note that the libpq API requires a reference to the connection object you're about to send the query down, because per-connection attributes (like client encoding) might affect the escaping. This could be doubly troublesome if you are talking to >1 backend with distinct SQL settings (a bad idea I know).

Yeah +1 for the escape function accepting a context pointer.

-Arran


More information about the Freeradius-Devel mailing list