rlm_sql and string escaping

Unik unik at compot.ru
Tue Sep 8 13:53:57 CEST 2015


Hello list!

I'm currently trying to port our custom GPL'ed FreeRADIUS module to
3.x. In addition to updating it to work on newer versions I tried to
convert it from using our own half-assed SQL abstraction layer to
rlm_sql's (using rlm_sqlhpwippool as an inspiration). While doing that
I noticed that there are no DB-specific mechanisms to escape strings
for use in DB queries (sql_escape_func is too strict and doesn't know
about DB escaping rules).

So my question is - is it ok for me to extend rlm_sql with DB-specific
string escaping API, and if so, what are your suggestions and
requirements for such an API?

One thing to consider is that data-string-escaping and identifier
-string-escaping follow different rules in several DBs.

My current plan is:
* Add another function pointer to rlm_sql instance
  (sql_string_escape_func).
* Make it default to sql_escape_func.
* Check if driver implements its own string escaping function,
  and if so, replace sql_string_escape_func with it.
  This implies that new function will have the same signature
  as sql_escape_func.

-- 
With best regards,

Alex Unigovsky
mailto:unik at compot.ru
Systems Administrator
Maksim Co. Ltd.
work: +7 495 981-0313
cell: +7 926 619-8997
23 Barishikha st.
125368
Moscow
Russian Federation

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150908/9f9c30be/attachment.sig>


More information about the Freeradius-Users mailing list