Hello!
On Tue, 1 Oct 2002, Alan DeKok wrote:
> > modified, in particular some characters like '+', '(', and ')' are
> > translated in the exadecimal notation. a string like this:
> >
> > 24000/31200 V34+/LAPM (52000/28800)
> >
> > is modified in:
> >
> > 24000/31200 V34=2B/LAPM =2852000/28800=29
>
> It's a design intent of the server. If that translation is NOT
> done, then certain characters can get the SQL parser
> excited... e.g. Someone logs in with a User-Name consisting of SQL
> commands, and your SQL database is trashed.
Hm...there are few risky chars in SQL, namely \0 and apostrophe.
These two should be escaped only, SQL servers used handle the rest chars
very easy in '' pair (for varchar/char/datetime types). Numerics must be
converted before anyway, right? So "+" and kins should be passed
untouched to obtain readable info in DB, don't mention about national
chars above 0x7f. This is a duty of admin to supply the right sql schema.
BTW, where is the actual rule to escape chars for SQL queries in sources?
--
WBR, Yury Bokhoncovich, Senior System Administrator, NOC of F1 Group.
Phone: +7 (3832) 106228, ext.140, E-mail: [EMAIL PROTECTED]
Unix is like a wigwam -- no Gates, no Windows, and an Apache inside.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
