FreeRadius replaces characters in '%{User-Password}' after upgrade 3.0.16->3.0.19

Alan DeKok aland at
Thu Jul 18 16:16:40 CEST 2019

On Jul 18, 2019, at 8:55 AM, Herwin Weststrate <herwin at> wrote:
> There is an issue to do it, but it looks like nobody had any time to fix it.

  We've made some good progress, but only in the "master" branch.

  The goal is to automatically split the SQL queries into "safe" and "unsafe" bits.  But that involves tracking the safety of expansions recursively.  Which then changes all kinds of things.

  It's just easier to do it in v4.

> Meanwhile, Postgresql and Mysql have an option driver_specific_escape
> that uses driver specific escapes and should fix the problem. It was
> introduced pretty recently, so I guess 3.0.19 should have it available.
> (Other drivers can be rewritten to include a specific include as well,
> it's just that nobody ever did that).

  That's the best approach for v3.

  Alan DeKok.

More information about the Freeradius-Users mailing list