Apostrophe in username

Alan DeKok aland at deployingradius.com
Tue Oct 30 18:15:02 CET 2018


On Oct 30, 2018, at 1:09 PM, Dom Latter <freeradius-users at latter.org> wrote:
> 
> On 30/10/2018 15:39, Stefan Winter wrote:
>> Hi,
>>> By default we allow users to use their email address as a username.
>> Sure. My mail address is stefan';DROP TABLE radacct;@somedomain.com .
> 
> Not a problem if the queries are properly escaped or parameterised.

  That's what the "safe_characters" configuration does.  Allows "safe" characters, and escapes everything else.

  If you edit the configuration to allow apostrophe, then you *will* be open to attacks, and someone *will* destroy your database.

  ALan DeKok.




More information about the Freeradius-Users mailing list