Null SQL user

Michael Griego mgriego at
Thu Sep 21 18:03:12 CEST 2006

There is a risk with this patch of running queries where the WHERE  
clause becomes WHERE UserName = ''...  Which, I guess isn't really  
all that bad...

I'm not sure I have any real problem with it, but we'll probably want  
to make the default sql_user_name configuration item %{User-Name:- 
DEFAULT} if we make the change this way.


On Sep 21, 2006, at 8:20 AM, Peter Nixon wrote:

>>> As you can see a request with NULL username is quite valid for  
>>> me, and
>>> may be proxied or accepted based (from inside the sql procedure)  
>>> based on
>>> information in the request other than username/password and should
>>> therefore go through the normal sql queries.
>> Oh, absolutely.  There are many instances where a User-Name attribute
>> may not/need not be present that are completely valid and should be
>> handled by the sql module.
> Can someone please test the attached patch before I commit it. It  
> works ok for
> us with Postgresql but its possible that it may cause suprises for  
> other
> database types.
> Cheers
> -- 
> Peter Nixon
> PGP Key:
> <nullsqluser.patch>
> -
> List info/subscribe/unsubscribe? See 
> devel.html

More information about the Freeradius-Devel mailing list