special characters in username in rlm_sql

Nicolas Baradakis nbk at sitadelle.com
Wed Mar 29 16:00:54 CEST 2006


Duane Cox wrote:

> Appartenly somewhere (rlm_sql ?) the username is being changed
> possible in an anti-injection function, I don't know.
> Can someone shed some light on this?
>
> For instance, in the debug snip below, the username 'dcox&dcox' is
> changed to 'dcox=26dcox' which of course fails the sql select
> statement.

It's not a bug, it's a feature. It prevents SQL injection attacks
on your backend database.

http://www.google.com/search?q=sql+injection+attack

As Alan said, you can change the "safe-characters" option in sql.conf,
but only if you know exactly what you are doing.

-- 
Nicolas Baradakis




More information about the Freeradius-Users mailing list