Yury Bokhoncovich <[EMAIL PROTECTED]> wrote: > Hm...there are few risky chars in SQL, namely \0 and apostrophe.
http://www.striker.ottawa.on.ca/~aland/SQLInjectionWhitePaper.pdf I forgot where I found it originally. Are you *sure* that for *all* SQL variants, the only magic characters are \0 and ' ? I'm not willing to say that. > These two should be escaped only, SQL servers used handle the rest chars > very easy in '' pair (for varchar/char/datetime types). Numerics must be > converted before anyway, right? So "+" and kins should be passed > untouched to obtain readable info in DB, don't mention about national > chars above 0x7f. This is a duty of admin to supply the right sql schema. And it's the duty of hackers to supply any kind of weird characters to try to hack your SQL database. > BTW, where is the actual rule to escape chars for SQL queries in sources? src/modules/rlm_sql/rlm_sql.c, sql_xlat() It has an explicit inclusion list. Any other characters get escaped. While I'm willing to add more characters to the white list, I'd rather be safe than sorry. Id' also like to be somewhat safe against admins editing their SQL queries, and allowing hackers into their systems. If that happens, they'll blame FreeRADIUS, NOT their own mistakes. I'd rather see a few characters mangled in the logs, than someone's system being hacked. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
