Sure, but then e.g. UPDATE users set username = '%{Stripped-User-Name}' is expanded to UPDATE users SET username = 'foo'bar', because the single quote is not escaped and the execution of the query will fail. The statement should rather be xlated to UPDATE users SET username = 'foo''bar'. -----Original Message----- From: Freeradius-Devel <freeradius-devel-bounces+hmuench=gordiancode.com@lists.freeradius.org> On Behalf Of Alan DeKok Sent: Dienstag, 8. Januar 2019 15:41 To: FreeRadius developers mailing list <freeradius-devel@lists.freeradius.org> Subject: Re: rlm_sql sql_escape_func On Jan 8, 2019, at 9:32 AM, Hagen Münch <hmuench@gordiancode.com> wrote:
I met the problem that if there are string values in a data base that contain single-quotes, the radius_axlat function expands a "foo'bar" to "foo27bar" by using the sql_escape_func of the rlm_sql module.
That's what the SQL escape function does.
I solved it by adding ... Do you think this approach is appropriate and would it be possible to add this single-quote escape case to the v3.x source? Thank you.
It's not correct. You can set "sql_safe_characters" in the SQL configuration. See raddb/mods-config/sql/main/*/queries.conf for more information. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html