SQL escaping
Phil Mayers
p.mayers at imperial.ac.uk
Fri Sep 21 19:13:26 CEST 2012
On 21/09/12 15:52, Arran Cudbard-Bell wrote:
> However, the SQL module has been around for nearly a decade now, so
> it'd be good to provide backwards compatibility with the default
> config, for attribute that commonly contain user input, hence
> suggesting the default config still escape User-Name/User-Password.
Ok, have a look at:
https://github.com/philmayers/freeradius-server/tree/escape-context
I've worked hard to break the changes up into a series of small commits
that should be easy to review. It doesn't touch the 1-char xlats, and
tries to be as minimal as possible.
The last few commits actually make use of the new argument to
radius_xlat, specifically the SQL modules "safe-characters" is now
per-instance, and not a static global variable. Which is good.
So, there are no changes to SQL escaping method - just the addition and
basic use of escape function context/request arguments.
If you think this is ok and "pull" it, I'll work up patches next week to
actually add driver-based SQL escaping as an option. I agree we should
leave the default as-is.
More information about the Freeradius-Devel
mailing list