"+" string converted to "=2B" in SQL request

Alan DeKok aland at deployingradius.com
Mon Mar 5 17:22:53 CET 2018


On Mar 5, 2018, at 11:13 AM, Tony LEMEUNIER <Tony.Lemeunier at novelcom.fr> wrote:
> I'am using Freeradius 3.0.12 with backend MySQL.
> 
> I customized my SQL groupreply request like this:
> 
> authorize_group_reply_query = "\
> 	SELECT id, groupname, attribute, \
> 	value, op \
> 	FROM ${groupreply_table} \
> 	WHERE groupname = '%{${group_attribute}}' AND value LIKE '%%%{Called-Station-Id}%%' \
> 	ORDER BY id"
> 
> %(Called-Station-Id) can be phone number like +33567897654, and the request sent to MySQL is:
> 
> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = GROUP' AND value LIKE '%=2B33567897654%' ORDER BY id
> 
> '+' string was converted to "=2B'.

  Yes.  For security.  Otherwise, any user could do an SQL injection attack.

> How can I do to preserve + string

  See raddb/mods-config/sql/main/mysql/queries.conf

  Uncomment, and edit the "safe_characters" string.

  And then watch people pwn your database.  Because there's no separate list of safe characters for SELECT versus INSERT.

  We're working on fixing this for v4.

  i.e. you're better off *not* putting the "+" into the DB.

  Alan DeKok.




More information about the Freeradius-Users mailing list