Apostrophe in username
Dom Latter
freeradius-users at latter.org
Tue Oct 30 18:09:16 CET 2018
On 30/10/2018 15:39, Stefan Winter wrote:
> Hi,
>> By default we allow users to use their email address as a username.
>
> Sure. My mail address is stefan';DROP TABLE radacct;@somedomain.com .
Not a problem if the queries are properly escaped or parameterised.
> Your query should use %{SQL-User-Name} instead of just %{User-Name}.
It does use %{SQL-User-Name} .
More information about the Freeradius-Users
mailing list