rlm_sql sql_escape_func

Hagen Münch hmuench at gordiancode.com
Tue Jan 8 18:05:25 CET 2019

Ok, I'll have a look. Thank you.

-----Original Message-----
From: Freeradius-Devel <freeradius-devel-bounces+hmuench=gordiancode.com at lists.freeradius.org> On Behalf Of Herwin Weststrate
Sent: Dienstag, 8. Januar 2019 17:50
To: freeradius-devel at lists.freeradius.org
Subject: Re: rlm_sql sql_escape_func

Alan DeKok wrote:
> On Jan 8, 2019, at 9:32 AM, Hagen Münch <hmuench at gordiancode.com> wrote:
>> I met the problem that if there are string values in a data base that contain single-quotes, the radius_axlat function expands a "foo'bar" to "foo27bar" by using the sql_escape_func of the rlm_sql module.
>    That's what the SQL escape function does.
>> I solved it by adding
>> ...
>> Do you think this approach is appropriate and would it be possible to add this single-quote escape case to the v3.x source? Thank you.
>    It's not correct.
>    You can set "sql_safe_characters" in the SQL configuration.  See raddb/mods-config/sql/main/*/queries.conf for more information.

It is (or will become) a bit more complicated: both 4.x and 3.0.x (the next 3.0 release) have a possibility to get a more specific escape function per driver. This has been implemented for MySQL and Postgres. 
It could be implemented for other drivers as well, it's just that nobody has done that yet.
So you might want to have a look at the git version of 3.0, it may contain code that solves your problem.

Herwin Weststrate
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html

More information about the Freeradius-Devel mailing list