Apostrophe in username
Alan DeKok
aland at deployingradius.com
Fri Nov 2 12:04:20 CET 2018
On Nov 2, 2018, at 6:06 AM, Dom Latter <freeradius-users at latter.org> wrote:
> Or just using conventional escape mechanisms (e.g.
> mysql_real_escape_string()).
Which, IIRC, wasn't available when the rlm_sql module was written... in 2000 or so.
As always, patches are welcome.
> My account management system is written using the Yii PHP framework,
> and it uses PDO, hence apostrophes etc. safely ending up in the
> database.
When adding them from the account management system.
I think there's a misconception here. The issue is *not* about apostrophes in the DB. The issue is apostrophes in SQL queries. And, apostrophes which come from *untrusted user input*.
That untrusted user input MUST be escaped for it to be safe. Either that, or passed to a stored procedure.
Adding apostrophe to the list of safe characters means that any user can own your database. It is absolutely and 100% the wrong thing to do.
> It's a long time since I wrote in C but I am guessing that the
> following added to sql_escape_func() inside rlm_sql.c would sort it:
That's pretty much what the "safe-characters" code already does.
Alan DeKok.
More information about the Freeradius-Users
mailing list