SQL escaping
Phil Mayers
p.mayers at imperial.ac.uk
Fri Sep 21 02:33:50 CEST 2012
On 09/20/2012 05:45 PM, Arran Cudbard-Bell wrote:
> So you can ignore those safe in the knowledge they'll be gone by the time we release 3.0.
If we're happy to throw away the single-char xlat, then this should be a
workng patch:
https://github.com/philmayers/freeradius-server/commit/5d979e9f81fb493464aed50d155c752108fc2815
It does the escaping once, in radius_xlat, and doesn't pass the escape
func down the stack. It fixes up all uses of the various changed
prototypes, and makes use of the new context argument to make
safe-characters a per-instance rather than global in the various SQL
modules.
It compiles and fires up and does basic xlat here for me.
If we want to retain the single-char xlat I can add these in on top.
The rlm_sqlcounter code needs extensive testing and review; I made some
rather more extensive changes there for what seemed like simplicity,
specifically I removed it's SQL escaping entirely, and rely on:
%{sql:select '%{var}'}
...the sql_xlat function in the parent SQL module correctly escaping
eveything to the right of the ":".
If the basic approach looks right, I can rework cosmetic or naming as
needed and once that is in "master", do a 2nd patchset which adds an
"escape" function to the SQL driver layer, and gives the option of
per-connection escaping for postgresl/mysql.
More information about the Freeradius-Devel
mailing list