SQL escaping

Phil Mayers p.mayers at imperial.ac.uk
Fri Sep 21 02:33:50 CEST 2012

On 09/20/2012 05:45 PM, Arran Cudbard-Bell wrote:

> So you can ignore those safe in the knowledge they'll be gone by the time we release 3.0.

If we're happy to throw away the single-char xlat, then this should be a 
workng patch:


It does the escaping once, in radius_xlat, and doesn't pass the escape 
func down the stack. It fixes up all uses of the various changed 
prototypes, and makes use of the new context argument to make 
safe-characters a per-instance rather than global in the various SQL 

It compiles and fires up and does basic xlat here for me.

If we want to retain the single-char xlat I can add these in on top.

The rlm_sqlcounter code needs extensive testing and review; I made some 
rather more extensive changes there for what seemed like simplicity, 
specifically I removed it's SQL escaping entirely, and rely on:

%{sql:select '%{var}'}

...the sql_xlat function in the parent SQL module correctly escaping 
eveything to the right of the ":".

If the basic approach looks right, I can rework cosmetic or naming as 
needed and once that is in "master", do a 2nd patchset which adds an 
"escape" function to the SQL driver layer, and gives the option of 
per-connection escaping for postgresl/mysql.

More information about the Freeradius-Devel mailing list