Apostrophe in username

Dom Latter freeradius-users at latter.org
Fri Nov 2 11:06:57 CET 2018


On 30/10/2018 18:06, Stefan Winter wrote:
> Hi,
> 
>>> Not a problem if the queries are properly escaped or parameterised.
>>
>>    That's what the "safe_characters" configuration does.  Allows "safe" characters, and escapes everything else.
> 
> Well, to be fair to the OP: using prepared statements would make all
> those escaping adventures obsolete.

Or just using conventional escape mechanisms (e.g.
mysql_real_escape_string()).

> In other projects, I learned to love the ability to defer all escaping
> questions to the library, and just send the stuff I want to send, with
> peace of mind that this is exactly what will end up in the DB.

My account management system is written using the Yii PHP framework,
and it uses PDO, hence apostrophes etc. safely ending up in the
database.

It's a long time since I wrote in C but I am guessing that the
following added to sql_escape_func() inside rlm_sql.c would sort it:

		case '\'':
			if (outlen <= 2) break;
			out[0] = '\\';
			out[1] = '\'';

			in++;
			out += 2;
			outlen -= 2;
			len += 2;
			break;


More information about the Freeradius-Users mailing list