On 17/09/2021 10:51, Alan DeKok wrote:
On Sep 17, 2021, at 9:14 AM, Antônio Modesto <modesto@hubsoft.com.br> wrote:
That's really a problem. I did some tests and I don't think it is possible to do sql injection without allowing a single quote in safe_characters. Am I missing something? Backslashes? Various other things? You'll have to investigate your particular database in detail to see what's possible.
We've listed what we know is safe. Anything else is potentially dangerous.
Alan DeKok.
That's true. I will need to replace every ";" in the NAS-Port-Id attribute with another character, "/" for example. Do you know how can I do that without using the "%{sub:" function? (Not all my servers have the proper version to use that already)
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Att, *Antônio Modesto*