Hello, I met the problem that if there are string values in a data base that contain single-quotes, the radius_axlat function expands a "foo'bar" to "foo27bar" by using the sql_escape_func of the rlm_sql module. I solved it by adding ---snip--- case '\'': if (outlen <= 2) break; out[0] = '\''; out[1] = '\''; in++; out += 2; outlen -= 2; len += 2; break; ---snip--- To the sql_escape_func. Do you think this approach is appropriate and would it be possible to add this single-quote escape case to the v3.x source? Thank you. Take care, Hagen
On Jan 8, 2019, at 9:32 AM, Hagen Münch <hmuench@gordiancode.com> wrote:
I met the problem that if there are string values in a data base that contain single-quotes, the radius_axlat function expands a "foo'bar" to "foo27bar" by using the sql_escape_func of the rlm_sql module.
That's what the SQL escape function does.
I solved it by adding ... Do you think this approach is appropriate and would it be possible to add this single-quote escape case to the v3.x source? Thank you.
It's not correct. You can set "sql_safe_characters" in the SQL configuration. See raddb/mods-config/sql/main/*/queries.conf for more information. Alan DeKok.
Alan DeKok wrote:
On Jan 8, 2019, at 9:32 AM, Hagen Münch <hmuench@gordiancode.com> wrote:
I met the problem that if there are string values in a data base that contain single-quotes, the radius_axlat function expands a "foo'bar" to "foo27bar" by using the sql_escape_func of the rlm_sql module.
That's what the SQL escape function does.
I solved it by adding ... Do you think this approach is appropriate and would it be possible to add this single-quote escape case to the v3.x source? Thank you.
It's not correct.
You can set "sql_safe_characters" in the SQL configuration. See raddb/mods-config/sql/main/*/queries.conf for more information.
It is (or will become) a bit more complicated: both 4.x and 3.0.x (the next 3.0 release) have a possibility to get a more specific escape function per driver. This has been implemented for MySQL and Postgres. It could be implemented for other drivers as well, it's just that nobody has done that yet. So you might want to have a look at the git version of 3.0, it may contain code that solves your problem. -- Herwin Weststrate
Ok, I'll have a look. Thank you. -----Original Message----- From: Freeradius-Devel <freeradius-devel-bounces+hmuench=gordiancode.com@lists.freeradius.org> On Behalf Of Herwin Weststrate Sent: Dienstag, 8. Januar 2019 17:50 To: freeradius-devel@lists.freeradius.org Subject: Re: rlm_sql sql_escape_func Alan DeKok wrote:
On Jan 8, 2019, at 9:32 AM, Hagen Münch <hmuench@gordiancode.com> wrote:
I met the problem that if there are string values in a data base that contain single-quotes, the radius_axlat function expands a "foo'bar" to "foo27bar" by using the sql_escape_func of the rlm_sql module.
That's what the SQL escape function does.
I solved it by adding ... Do you think this approach is appropriate and would it be possible to add this single-quote escape case to the v3.x source? Thank you.
It's not correct.
You can set "sql_safe_characters" in the SQL configuration. See raddb/mods-config/sql/main/*/queries.conf for more information.
It is (or will become) a bit more complicated: both 4.x and 3.0.x (the next 3.0 release) have a possibility to get a more specific escape function per driver. This has been implemented for MySQL and Postgres. It could be implemented for other drivers as well, it's just that nobody has done that yet. So you might want to have a look at the git version of 3.0, it may contain code that solves your problem. -- Herwin Weststrate - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
Sure, but then e.g. UPDATE users set username = '%{Stripped-User-Name}' is expanded to UPDATE users SET username = 'foo'bar', because the single quote is not escaped and the execution of the query will fail. The statement should rather be xlated to UPDATE users SET username = 'foo''bar'. -----Original Message----- From: Freeradius-Devel <freeradius-devel-bounces+hmuench=gordiancode.com@lists.freeradius.org> On Behalf Of Alan DeKok Sent: Dienstag, 8. Januar 2019 15:41 To: FreeRadius developers mailing list <freeradius-devel@lists.freeradius.org> Subject: Re: rlm_sql sql_escape_func On Jan 8, 2019, at 9:32 AM, Hagen Münch <hmuench@gordiancode.com> wrote:
I met the problem that if there are string values in a data base that contain single-quotes, the radius_axlat function expands a "foo'bar" to "foo27bar" by using the sql_escape_func of the rlm_sql module.
That's what the SQL escape function does.
I solved it by adding ... Do you think this approach is appropriate and would it be possible to add this single-quote escape case to the v3.x source? Thank you.
It's not correct. You can set "sql_safe_characters" in the SQL configuration. See raddb/mods-config/sql/main/*/queries.conf for more information. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
participants (3)
-
Alan DeKok -
Hagen Münch -
Herwin Weststrate