Apostrophe in username
Herwin Weststrate
herwin at quarantainenet.nl
Fri Nov 2 11:29:26 CET 2018
On 02-11-18 11:06, Dom Latter wrote:
> On 30/10/2018 18:06, Stefan Winter wrote:
>> Hi,
>>
>>>> Not a problem if the queries are properly escaped or parameterised.
>>>
>>> That's what the "safe_characters" configuration does. Allows
>>> "safe" characters, and escapes everything else.
>>
>> Well, to be fair to the OP: using prepared statements would make all
>> those escaping adventures obsolete.
>
> Or just using conventional escape mechanisms (e.g.
> mysql_real_escape_string()).
The master branch actually has code like that: every SQL backend can
have a specialised `sql_escape_func` that uses a sane escape method. It
might be a nice thing to backport to v3.0.x as well (with a config
option to enable it, it would break backwards compatibility otherwise)
--
Herwin Weststrate
More information about the Freeradius-Users
mailing list