All, I'd like to add a patch that uses the correct escaping function - for example, PQescapeStringConn in libpq - when expanding SQL strings. For various reason we find the "safe-characters" encoding a bit limiting for us. I did look at adding a per-module selectable escaping function with the current "safe" option as the default and a "\xNN" for non-ascii characters, but this again has some issues. It seems like it might be a good idea to use the underlying SQL driver escape function if one is present. Unfortunately this is a bit more complex than it first looks. In particular, the RADIUS_ESCAPE_FUNC prototype only receives the in, out and length params - no reference to the request or any other context it is called from. Also, it's not beyond the realm of possibility that someone might want to interpolate strings into a query other than arguments e.g. update control { Tmp-String-0 := "table1" } update control { Tmp-Integer-0 := "%{sql:select * from %{control:Tmp-String-0} ...}" } Does anyone have any insight into how to go about this? In particular, I note that the libpq API requires a reference to the connection object you're about to send the query down, because per-connection attributes (like client encoding) might affect the escaping. This could be doubly troublesome if you are talking to >1 backend with distinct SQL settings (a bad idea I know). Suggestions welcome - is this more trouble than it's worth? Cheers, Phil