is it dangerous to change sql safe_characters ?
d tbsky
tbskyd at gmail.com
Thu Jul 30 16:17:55 CEST 2015
2015-07-30 21:21 GMT+08:00 Herwin Weststrate <herwin at quarantainenet.nl>:
> On 30-07-15 14:51, d tbsky wrote:
>> Hi Alan:
>>
>> ok. then I will give up the idea. I am curious is "\" dangerous?
>
> Say we have a logging function that writes succesful authentications to
> a database:
>
> INSERT INTO logging (timestamp, username)
> VALUES (now(), '%{User-Name}%')
>
> With using the username "foo\" the query would become:
>
> INSERT INTO logging (timestamp, username)
> VALUES (now(), 'foo\')
>
> Now the last "'" is escaped and the query generates a syntax error.
but in 3.0.9 reality, if I add "\" to safe_character, freeradius will
present it with "\\" when write to sql, and all other special
characters are escaped by default, so everything seems fine. so I am
curious what will go wrong.
but I now only have username attribute which will have "\" character.
I don't know if freeradius will present all the "\" with "\\"
correctly for all the attributes
Regards,
tbskyd.
More information about the Freeradius-Users
mailing list