On Nov 2, 2018, at 6:06 AM, Dom Latter <freeradius-users@latter.org> wrote:
Or just using conventional escape mechanisms (e.g. mysql_real_escape_string()).
Which, IIRC, wasn't available when the rlm_sql module was written... in 2000 or so. As always, patches are welcome.
My account management system is written using the Yii PHP framework, and it uses PDO, hence apostrophes etc. safely ending up in the database.
When adding them from the account management system. I think there's a misconception here. The issue is *not* about apostrophes in the DB. The issue is apostrophes in SQL queries. And, apostrophes which come from *untrusted user input*. That untrusted user input MUST be escaped for it to be safe. Either that, or passed to a stored procedure. Adding apostrophe to the list of safe characters means that any user can own your database. It is absolutely and 100% the wrong thing to do.
It's a long time since I wrote in C but I am guessing that the following added to sql_escape_func() inside rlm_sql.c would sort it:
That's pretty much what the "safe-characters" code already does. Alan DeKok.