[POLL] Escaping behaviour in SQL/LDAP/regexes

Arran Cudbard-Bell a.cudbardb at freeradius.org
Tue Mar 11 21:39:06 UTC 2025



>> Assume the value of User-Name is: Bob'; DROP TABLE users;--
>> 
>> Possible answers:
>> 
>> a) SELECT * FROM my-table WHERE Service-Type = 'Framed-User' AND User-Name = 'Bob'; DROP TABLE users;--'
>> b) SELECT * FROM my-table WHERE Service-Type = \'Framed-User\' AND User-Name = 'Bob\'; DROP TABLE users;--'
>> c) SELECT * FROM my-table WHERE Service-Type = 'Framed-User' AND User-Name = 'Bob\'; DROP TABLE users;--'
>> d) Other.  Please write expected, expanded, SQL statement.

These are possible answers for each of the 4 policy snippets immediately below the possible answers.

We're looking for something like:

1. a
2. b
3. c
4. d

> My expectation is always a prepared statement in the form
> 
>  SELECT * FROM my-table WHERE Service-Type = 'Framed-User' AND User-Name = ?
> 
> called with the current User-Name variable value as a bound parameter.
> 
> This will of course not work with "%{sql_condition}" as a variable.  But
> then I don't expect "%{sql_condition}" to be a variable either.  Why
> would it?  Better write the complete statement.

This is a contrived set of policies.  The point is to determine what user's expectation of how the variables in the SQL statement are expanded/interpolated, not to debate best practice in policy writing :) 

-Arran


More information about the Freeradius-Users mailing list