Apostrophe in username

Herwin Weststrate herwin at quarantainenet.nl
Fri Nov 2 11:29:26 CET 2018

On 02-11-18 11:06, Dom Latter wrote:
> On 30/10/2018 18:06, Stefan Winter wrote:
>> Hi,
>>>> Not a problem if the queries are properly escaped or parameterised.
>>>    That's what the "safe_characters" configuration does.  Allows
>>> "safe" characters, and escapes everything else.
>> Well, to be fair to the OP: using prepared statements would make all
>> those escaping adventures obsolete.
> Or just using conventional escape mechanisms (e.g.
> mysql_real_escape_string()).

The master branch actually has code like that: every SQL backend can
have a specialised `sql_escape_func` that uses a sane escape method. It
might be a nice thing to backport to v3.0.x as well (with a config
option to enable it, it would break backwards compatibility otherwise)

Herwin Weststrate

More information about the Freeradius-Users mailing list