Apostrophe in username

Dom Latter freeradius-users at latter.org
Tue Oct 30 18:09:16 CET 2018


On 30/10/2018 15:39, Stefan Winter wrote:
> Hi,
>> By default we allow users to use their email address as a username.
> 
> Sure. My mail address is stefan';DROP TABLE radacct;@somedomain.com .

Not a problem if the queries are properly escaped or parameterised.

> Your query should use %{SQL-User-Name} instead of just %{User-Name}.

It does use %{SQL-User-Name} .



More information about the Freeradius-Users mailing list