30 Oct
2018
30 Oct
'18
1:15 p.m.
On Oct 30, 2018, at 1:09 PM, Dom Latter <freeradius-users@latter.org> wrote:
On 30/10/2018 15:39, Stefan Winter wrote:
Hi,
By default we allow users to use their email address as a username. Sure. My mail address is stefan';DROP TABLE radacct;@somedomain.com .
Not a problem if the queries are properly escaped or parameterised.
That's what the "safe_characters" configuration does. Allows "safe" characters, and escapes everything else. If you edit the configuration to allow apostrophe, then you *will* be open to attacks, and someone *will* destroy your database. ALan DeKok.