rlm_sql sql_escape_func

Herwin Weststrate freeradius at herwinw.nl
Tue Jan 8 17:49:30 CET 2019


Alan DeKok wrote:
> On Jan 8, 2019, at 9:32 AM, Hagen Münch <hmuench at gordiancode.com> wrote:
>>
>>
>> I met the problem that if there are string values in a data base that contain single-quotes, the radius_axlat function expands a "foo'bar" to "foo27bar" by using the sql_escape_func of the rlm_sql module.
> 
>    That's what the SQL escape function does.
> 
>> I solved it by adding
>> ...
>> Do you think this approach is appropriate and would it be possible to add this single-quote escape case to the v3.x source? Thank you.
> 
>    It's not correct.
> 
>    You can set "sql_safe_characters" in the SQL configuration.  See raddb/mods-config/sql/main/*/queries.conf for more information.

It is (or will become) a bit more complicated: both 4.x and 3.0.x (the 
next 3.0 release) have a possibility to get a more specific escape 
function per driver. This has been implemented for MySQL and Postgres. 
It could be implemented for other drivers as well, it's just that nobody 
has done that yet.
So you might want to have a look at the git version of 3.0, it may 
contain code that solves your problem.

-- 
Herwin Weststrate


More information about the Freeradius-Devel mailing list