Hello Rodrigo -
You can use the UsernameCharset parameter to restrict the characters in the username.
See section 6.4.30 in the Radiator 3.7.1 reference manual.
As far as the password is concerned, this field is only read from the database and the comparison is done inside Radiator.
regards
Hugh
On 06/12/2003, at 7:25 AM, Rodrigo Nuno Bragan�a da Cunha wrote:
Hi!
I'm using AuthBy SQL to authenticate user/passwd against an OTP session database, and everything is working just fine, but today I noticed a problem: what if a malicious user sets his username and/or password for something containing special SQL codes, like ', or ", etc...?
Well, I tried and it worked as expected: malicious queries can be done that way.
The question is: how do I solve that? RewriteUsername won't work for passwords... and also for accounting... the same problem exists.
Thanks,
Rodrigo
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening?
-- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. - CATool: Private Certificate Authority for Unix and Unix-like systems.
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
