SQL escaping
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Wed Sep 19 19:13:33 CEST 2012
>
>
> update control {
> Tmp-String-0 := "table1"
> }
> update control {
> Tmp-Integer-0 := "%{sql:select * from %{control:Tmp-String-0} ...}"
> }
>
> Does anyone have any insight into how to go about this?
I guess you could have a special xlat function that does double expansion... That's what you really want here, it's not something specific to the sql module.
update control {
Tmp-String-2 := "%{eval:%%{sql:SELECT * FROM %{control:Tmp-String-0} WHERE username='%%{User-Name}'}}"
}
That'd let you do what you wanted right?
There might already be one buried in the depths of the server somewhere.
> In particular, I note that the libpq API requires a reference to the connection object you're about to send the query down, because per-connection attributes (like client encoding) might affect the escaping. This could be doubly troublesome if you are talking to >1 backend with distinct SQL settings (a bad idea I know).
Yeah +1 for the escape function accepting a context pointer.
-Arran
More information about the Freeradius-Devel
mailing list