Apostrophe in username
Alan DeKok
aland at deployingradius.com
Tue Oct 30 18:15:02 CET 2018
On Oct 30, 2018, at 1:09 PM, Dom Latter <freeradius-users at latter.org> wrote:
>
> On 30/10/2018 15:39, Stefan Winter wrote:
>> Hi,
>>> By default we allow users to use their email address as a username.
>> Sure. My mail address is stefan';DROP TABLE radacct;@somedomain.com .
>
> Not a problem if the queries are properly escaped or parameterised.
That's what the "safe_characters" configuration does. Allows "safe" characters, and escapes everything else.
If you edit the configuration to allow apostrophe, then you *will* be open to attacks, and someone *will* destroy your database.
ALan DeKok.
More information about the Freeradius-Users
mailing list