SQL-User-Name in %{sql:..} expansion

Jakob Hirsch jh at plonk.de
Thu May 19 09:15:01 CEST 2016

Arran Cudbard-Bell wrote on 2016-05-18 16:18:
> SQL-User-Name is only useful because it expands to the group being
> processed.  For everything else the xlat escape function will prevent
> injection attacks.

Oh, ok. I thought the main use is that it's safe against SQL injections
(because of the escaping). Of course, if one uses other attributes in
the query, expr's escape would be needed for that.

I tend to think that using the native escaping function would be better
(like mysql_real_escape), but then you had to make sure that it uses the
same context/connection as the query in which it will be used, which
might be tricky.

Anyway, I digress. So I will just use escape. Thanks for the input!

More information about the Freeradius-Users mailing list