On Nov 2, 2018, at 7:32 AM, Dom Latter <freeradius-users@latter.org> wrote:
I am very aware of all this - I should have made myself clearer in the first place. Adding apostrophe to the list was purely an experiment; I had vague hopes that it might have been escaped with a backslash.
The code operates as documented. It doesn't start escaping things *differently* when you turn escaping off...
It's a long time since I wrote in C but I am guessing that the following added to sql_escape_func() inside rlm_sql.c would sort it: That's pretty much what the "safe-characters" code already does.
I beg to differ - it mime-encodes.
It escapes things. The method used is less important.
I note that https://dev.mysql.com/doc/refman/5.7/en/mysql-real-escape-string.html says:
"Characters encoded are \, ', ", NUL (ASCII 0), \n, \r, and Control+Z. Strictly speaking, MySQL requires only that backslash and the quote character used to quote the string in the query be escaped."
So if I have understood, the safe_characters code could be replaced with the snippet I just posted, a similar one for \, and no mime- encoding at all....
It would be *much* preferable to use the mysql_real_escape_string function. That way all knowledge of what to escape is inside of the MySQL code, where it belongs. Alan DeKok.