On 18-07-19 14:48, Dom Latter wrote:
On 18/07/2019 12:21, Alan DeKok wrote:
The SQL module has always performed character escaping. I'm not sure what changed, if anything.
The short answer is that you can expose your SQL server to injection attacks by editing the "safe_characters" string in mods-config/sql/main/mysql/queries.conf
Is using parameterised queries instead anywhere on the roadmap?
https://github.com/FreeRADIUS/freeradius-server/issues/830 There is an issue to do it, but it looks like nobody had any time to fix it. Meanwhile, Postgresql and Mysql have an option driver_specific_escape that uses driver specific escapes and should fix the problem. It was introduced pretty recently, so I guess 3.0.19 should have it available. (Other drivers can be rewritten to include a specific include as well, it's just that nobody ever did that). -- Herwin Weststrate