Apostrophe in username

Alan DeKok aland at deployingradius.com
Fri Nov 2 12:37:59 CET 2018

On Nov 2, 2018, at 7:32 AM, Dom Latter <freeradius-users at latter.org> wrote:
> I am very aware of all this - I should have made myself clearer in the
> first place.  Adding apostrophe to the list was purely an experiment;
> I had vague hopes that it might have been escaped with a backslash.

  The code operates as documented.  It doesn't start escaping things *differently* when you turn escaping off...

>>> It's a long time since I wrote in C but I am guessing that the following added to sql_escape_func() inside rlm_sql.c would sort
>>> it:
>> That's pretty much what the "safe-characters" code already does.
> I beg to differ - it mime-encodes.

  It escapes things.  The method used is less important.

> I note that
> https://dev.mysql.com/doc/refman/5.7/en/mysql-real-escape-string.html
> says:
> "Characters encoded are \, ', ", NUL (ASCII 0), \n, \r, and Control+Z.
> Strictly speaking, MySQL requires only that backslash and the quote
> character used to quote the string in the query be escaped."
> So if I have understood, the safe_characters code could be replaced
> with the snippet I just posted, a similar one for \, and no mime-
> encoding at all....

  It would be *much* preferable to use the mysql_real_escape_string function.  That way all knowledge of what to escape is inside of the MySQL code, where it belongs.

  Alan DeKok.

More information about the Freeradius-Users mailing list