FreeRadius replaces characters in '%{User-Password}' after upgrade 3.0.16->3.0.19

Herwin Weststrate herwin at
Thu Jul 18 14:55:14 CEST 2019

On 18-07-19 14:48, Dom Latter wrote:
> On 18/07/2019 12:21, Alan DeKok wrote:
>>    The SQL module has always performed character escaping.  I'm not
>> sure what changed, if anything.
>>    The short answer is that you can expose your SQL server to
>> injection attacks by editing the "safe_characters" string in
>> mods-config/sql/main/mysql/queries.conf
> Is using parameterised queries instead anywhere on the roadmap?

There is an issue to do it, but it looks like nobody had any time to fix it.

Meanwhile, Postgresql and Mysql have an option driver_specific_escape
that uses driver specific escapes and should fix the problem. It was
introduced pretty recently, so I guess 3.0.19 should have it available.
(Other drivers can be rewritten to include a specific include as well,
it's just that nobody ever did that).

Herwin Weststrate

More information about the Freeradius-Users mailing list