SQL escaping
Phil Mayers
p.mayers at imperial.ac.uk
Wed Sep 19 18:33:38 CEST 2012
All,
I'd like to add a patch that uses the correct escaping function - for
example, PQescapeStringConn in libpq - when expanding SQL strings. For
various reason we find the "safe-characters" encoding a bit limiting for us.
I did look at adding a per-module selectable escaping function with the
current "safe" option as the default and a "\xNN" for non-ascii
characters, but this again has some issues.
It seems like it might be a good idea to use the underlying SQL driver
escape function if one is present.
Unfortunately this is a bit more complex than it first looks. In
particular, the RADIUS_ESCAPE_FUNC prototype only receives the in, out
and length params - no reference to the request or any other context it
is called from.
Also, it's not beyond the realm of possibility that someone might want
to interpolate strings into a query other than arguments e.g.
update control {
Tmp-String-0 := "table1"
}
update control {
Tmp-Integer-0 := "%{sql:select * from %{control:Tmp-String-0} ...}"
}
Does anyone have any insight into how to go about this? In particular, I
note that the libpq API requires a reference to the connection object
you're about to send the query down, because per-connection attributes
(like client encoding) might affect the escaping. This could be doubly
troublesome if you are talking to >1 backend with distinct SQL settings
(a bad idea I know).
Suggestions welcome - is this more trouble than it's worth?
Cheers,
Phil
More information about the Freeradius-Devel
mailing list