Apostrophe in username
Alan DeKok
aland at deployingradius.com
Fri Nov 2 12:37:59 CET 2018
On Nov 2, 2018, at 7:32 AM, Dom Latter <freeradius-users at latter.org> wrote:
> I am very aware of all this - I should have made myself clearer in the
> first place. Adding apostrophe to the list was purely an experiment;
> I had vague hopes that it might have been escaped with a backslash.
The code operates as documented. It doesn't start escaping things *differently* when you turn escaping off...
>>> It's a long time since I wrote in C but I am guessing that the following added to sql_escape_func() inside rlm_sql.c would sort
>>> it:
>> That's pretty much what the "safe-characters" code already does.
>
> I beg to differ - it mime-encodes.
It escapes things. The method used is less important.
> I note that
> https://dev.mysql.com/doc/refman/5.7/en/mysql-real-escape-string.html
> says:
>
> "Characters encoded are \, ', ", NUL (ASCII 0), \n, \r, and Control+Z.
> Strictly speaking, MySQL requires only that backslash and the quote
> character used to quote the string in the query be escaped."
>
> So if I have understood, the safe_characters code could be replaced
> with the snippet I just posted, a similar one for \, and no mime-
> encoding at all....
It would be *much* preferable to use the mysql_real_escape_string function. That way all knowledge of what to escape is inside of the MySQL code, where it belongs.
Alan DeKok.
More information about the Freeradius-Users
mailing list