Hi Alan, And thanks for your reply. My radius is on private LAN, so no risk. Best Regards, Tony LEMEUNIER Le 05/03/2018 17:23, « Freeradius-Users au nom de Alan DeKok » <freeradius-users-bounces+tony.lemeunier=novelcom.fr@lists.freeradius.org au nom de aland@deployingradius.com> a écrit : On Mar 5, 2018, at 11:13 AM, Tony LEMEUNIER <Tony.Lemeunier@novelcom.fr> wrote: > I'am using Freeradius 3.0.12 with backend MySQL. > > I customized my SQL groupreply request like this: > > authorize_group_reply_query = "\ > SELECT id, groupname, attribute, \ > value, op \ > FROM ${groupreply_table} \ > WHERE groupname = '%{${group_attribute}}' AND value LIKE '%%%{Called-Station-Id}%%' \ > ORDER BY id" > > %(Called-Station-Id) can be phone number like +33567897654, and the request sent to MySQL is: > > SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = GROUP' AND value LIKE '%=2B33567897654%' ORDER BY id > > '+' string was converted to "=2B'. Yes. For security. Otherwise, any user could do an SQL injection attack. > How can I do to preserve + string See raddb/mods-config/sql/main/mysql/queries.conf Uncomment, and edit the "safe_characters" string. And then watch people pwn your database. Because there's no separate list of safe characters for SELECT versus INSERT. We're working on fixing this for v4. i.e. you're better off *not* putting the "+" into the DB. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html