Apostrophe in username

Alan DeKok aland at deployingradius.com
Fri Nov 2 12:04:20 CET 2018

On Nov 2, 2018, at 6:06 AM, Dom Latter <freeradius-users at latter.org> wrote:
> Or just using conventional escape mechanisms (e.g.
> mysql_real_escape_string()).

  Which, IIRC, wasn't available when the rlm_sql module was written... in 2000 or so.

  As always, patches are welcome.

> My account management system is written using the Yii PHP framework,
> and it uses PDO, hence apostrophes etc. safely ending up in the
> database.

  When adding them from the account management system.

  I think there's a misconception here.  The issue is *not* about apostrophes in the DB.  The issue is apostrophes in SQL queries.  And, apostrophes which come from *untrusted user input*.

  That untrusted user input MUST be escaped for it to be safe.  Either that, or passed to a stored procedure.

  Adding apostrophe to the list of safe characters means that any user can own your database.  It is absolutely and 100% the wrong thing to do.

> It's a long time since I wrote in C but I am guessing that the
> following added to sql_escape_func() inside rlm_sql.c would sort it:

  That's pretty much what the "safe-characters" code already does.

  Alan DeKok.

More information about the Freeradius-Users mailing list