special characters in username in rlm_sql
Nicolas Baradakis
nbk at sitadelle.com
Wed Mar 29 16:00:54 CEST 2006
Duane Cox wrote:
> Appartenly somewhere (rlm_sql ?) the username is being changed
> possible in an anti-injection function, I don't know.
> Can someone shed some light on this?
>
> For instance, in the debug snip below, the username 'dcox&dcox' is
> changed to 'dcox=26dcox' which of course fails the sql select
> statement.
It's not a bug, it's a feature. It prevents SQL injection attacks
on your backend database.
http://www.google.com/search?q=sql+injection+attack
As Alan said, you can change the "safe-characters" option in sql.conf,
but only if you know exactly what you are doing.
--
Nicolas Baradakis
More information about the Freeradius-Users
mailing list