Hi,
Not a problem if the queries are properly escaped or parameterised.
That's what the "safe_characters" configuration does. Allows "safe" characters, and escapes everything else.
Well, to be fair to the OP: using prepared statements would make all those escaping adventures obsolete. In other projects, I learned to love the ability to defer all escaping questions to the library, and just send the stuff I want to send, with peace of mind that this is exactly what will end up in the DB. Greetings, Stefan
If you edit the configuration to allow apostrophe, then you *will* be open to attacks, and someone *will* destroy your database.
ALan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66