SQL escaping

Phil Mayers p.mayers at imperial.ac.uk
Wed Sep 19 18:33:38 CEST 2012


I'd like to add a patch that uses the correct escaping function - for 
example, PQescapeStringConn in libpq - when expanding SQL strings. For 
various reason we find the "safe-characters" encoding a bit limiting for us.

I did look at adding a per-module selectable escaping function with the 
current "safe" option as the default and a "\xNN" for non-ascii 
characters, but this again has some issues.

It seems like it might be a good idea to use the underlying SQL driver 
escape function if one is present.

Unfortunately this is a bit more complex than it first looks. In 
particular, the RADIUS_ESCAPE_FUNC prototype only receives the in, out 
and length params - no reference to the request or any other context it 
is called from.

Also, it's not beyond the realm of possibility that someone might want 
to interpolate strings into a query other than arguments e.g.

update control {
   Tmp-String-0 := "table1"
update control {
   Tmp-Integer-0 := "%{sql:select * from %{control:Tmp-String-0} ...}"

Does anyone have any insight into how to go about this? In particular, I 
note that the libpq API requires a reference to the connection object 
you're about to send the query down, because per-connection attributes 
(like client encoding) might affect the escaping. This could be doubly 
troublesome if you are talking to >1 backend with distinct SQL settings 
(a bad idea I know).

Suggestions welcome - is this more trouble than it's worth?


More information about the Freeradius-Devel mailing list