safe_characters issue

Alan DeKok aland at
Wed Jun 17 21:59:10 CEST 2020

On Jun 17, 2020, at 3:23 PM, Fabrice Durand <fdurand at> wrote:
> sorry to bother you.

  Fixing bugs is what I do...

> I did one last test and built new binary and revert few commits in 3.0.21 (attached to this email) in the rlm_sql modules and now freeradius take the safe_characters values from sql_degraded{...} section and not the sql {...} section anymore. (like it worked in freeradius 3.0.13)
> My skills in C are not good enough to find the issue but it looks that the "sql_escape_func" use the main sql section.

  The sql_escape_func() uses whatever configuration is in the SQL connection that it's using.

  i.e. If you configure sql_degraded to use the connection pool from the main SQL module, then the escaping is done using that configuration.

 So you have:
sql sql_degraded {
        pool = sql

  Which means that the "safe_characters" is taken from the main "sql" module.

  I admit that this behaviour is somewhat surprising, but.. I also have to ask, why use different "safe_characters" for connections to the same back-end database?  Do the safe_characters really change, depending on the SQL module, and not the database?

  My $0.02 is to just set "auto_escape = yes", and the problem goes away.  All escaping is done via the database library (not FreeRADIUS), and everything Just Works.

  Alan DeKok.

More information about the Freeradius-Users mailing list