29 Mar
2006
29 Mar
'06
9 a.m.
Duane Cox wrote:
Appartenly somewhere (rlm_sql ?) the username is being changed possible in an anti-injection function, I don't know. Can someone shed some light on this?
For instance, in the debug snip below, the username 'dcox&dcox' is changed to 'dcox=26dcox' which of course fails the sql select statement.
It's not a bug, it's a feature. It prevents SQL injection attacks on your backend database. http://www.google.com/search?q=sql+injection+attack As Alan said, you can change the "safe-characters" option in sql.conf, but only if you know exactly what you are doing. -- Nicolas Baradakis