rlm_sql sql_escape_func
Hagen Münch
hmuench at gordiancode.com
Tue Jan 8 17:51:01 CET 2019
Sure, but then e.g.
UPDATE users set username = '%{Stripped-User-Name}' is expanded to UPDATE users SET username = 'foo'bar', because the single quote is not escaped and the execution of the query will fail. The statement should rather be xlated to UPDATE users SET username = 'foo''bar'.
-----Original Message-----
From: Freeradius-Devel <freeradius-devel-bounces+hmuench=gordiancode.com at lists.freeradius.org> On Behalf Of Alan DeKok
Sent: Dienstag, 8. Januar 2019 15:41
To: FreeRadius developers mailing list <freeradius-devel at lists.freeradius.org>
Subject: Re: rlm_sql sql_escape_func
On Jan 8, 2019, at 9:32 AM, Hagen Münch <hmuench at gordiancode.com> wrote:
>
>
> I met the problem that if there are string values in a data base that contain single-quotes, the radius_axlat function expands a "foo'bar" to "foo27bar" by using the sql_escape_func of the rlm_sql module.
That's what the SQL escape function does.
> I solved it by adding
> ...
> Do you think this approach is appropriate and would it be possible to add this single-quote escape case to the v3.x source? Thank you.
It's not correct.
You can set "sql_safe_characters" in the SQL configuration. See raddb/mods-config/sql/main/*/queries.conf for more information.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
More information about the Freeradius-Devel
mailing list