On 10/19/2011 08:41 AM, Fajar A. Nugraha wrote:
has the complete safe_characters needed. Turns out FR uses the safe_characters from the LAST instantiated sql instance. Manually putting the sql instances in instantiate section of radiusd.conf, with the one containing safe_characters I want last, works as expected.
Yeah, that's a tedious bug that's hard to solve. The "sql_xlat" function calls "radius_xlat" and supplies "sql_escape_func" as the final argument; unfortunately the "escape functions" you can pass to "radius_xlat" just get the input string and output buffer - they don't get any per-module config, so making the safe_characters per-module is tricky. I did have some patches making the escape function (but not the safe_characters) selectable and offering "\xAA" as well as "raw" i.e. no escaping. The latter was intended for use with Postgres' dollar-quoted strings e.g. select * from foo where bar=$tag$this is the string$tag$ Are you using postgres? If so, you could try to abuse this feature by making EVERY character safe, then perform the escaping yourself by doing this: update request { SQL-Query := "select * from foo where bar=$tag$%{User-Name}$tag$" SQL-Result := "%{sql:%{SQL-Query}}" } It's not the most secure option; someone could contrive to get the string "$tag$; drop table foo" into a radius field, but if you can be sure this won't happen (e.g. sanitise it) it might work.