On Jul 18, 2019, at 8:55 AM, Herwin Weststrate <herwin@quarantainenet.nl> wrote:
https://github.com/FreeRADIUS/freeradius-server/issues/830
There is an issue to do it, but it looks like nobody had any time to fix it.
We've made some good progress, but only in the "master" branch. The goal is to automatically split the SQL queries into "safe" and "unsafe" bits. But that involves tracking the safety of expansions recursively. Which then changes all kinds of things. It's just easier to do it in v4.
Meanwhile, Postgresql and Mysql have an option driver_specific_escape that uses driver specific escapes and should fix the problem. It was introduced pretty recently, so I guess 3.0.19 should have it available. (Other drivers can be rewritten to include a specific include as well, it's just that nobody ever did that).
That's the best approach for v3. Alan DeKok.