SQL escaping

Phil Mayers p.mayers at imperial.ac.uk
Fri Sep 21 16:05:05 CEST 2012

On 21/09/12 13:14, Arran Cudbard-Bell wrote:

> I'm presuming that properly escaped strings will be converted back to
> there unescaped form when they get inserted into the database?

Yes. If the NAS sends:

User-Name = "foo'bar"
Some-Attr = "some\ntext"

...then then SQL escape function will generate a string
(depending on what the DB driver does for escaping):

insert into x (username,msg) values (E'foo''bar', E'some<newline>

...and the value in the SQL column will be:


> Applications that relied on FreeRADIUS to do the escaping of special
> characters would then be vulnerable to various other kinds of
> injection attacks.

The idea would be that by using the DB escape code, you eliminate *all* 
vulnerability to injection attacks. Xlat will always generate correctly 
quoted strings.

But I think you're talking about other apps that then *read* the data FR 
has inserted, in which case see below.

> I've copied the safe character code into another xlat function (could
> you pull and update that as part of your patch set too). In your
> second patch set please wrap user modifiable attributes e.g.
> User-Name/User-Password where they're used in INSERT/UPDATE queries
> with %{encode:}, this should minimise the risk of administrators
> inadvertently exposing other applications to raw user provided data.

My intention was to make the escaping mode a setting on the SQL instance 
that defaults to safe-characters, but can be set to "native".

More information about the Freeradius-Devel mailing list