On Wed, Oct 19, 2011 at 4:01 PM, Phil Mayers <p.may...@imperial.ac.uk> wrote: > Are you using postgres?
Nope. MySQL. > If so, you could try to abuse this feature by making > EVERY character safe, then perform the escaping yourself by doing this: > > update request { > SQL-Query := "select * from foo where bar=$tag$%{User-Name}$tag$" > SQL-Result := "%{sql:%{SQL-Query}}" > } "SQL-Query" and "SQL-Result" is just an example, right? Unless it's specifically added to a dictionary. > > It's not the most secure option; someone could contrive to get the string > "$tag$; drop table foo" into a radius field, but if you can be sure this > won't happen (e.g. sanitise it) it might work. The most dangerous character would probably be ";". Right now I'm adding "'=(),|". The first five because it's often used in queries. The last one ("|") is because I need a "marker" character, so that I can abuse mysql's CONCAT() and split the result later using unlang's regex. The "put queries in attribute" part is necessary to be able to create a generic pseudo-redundant sql expansion. I'm currently testing it for dynamic-clients. The modification uses less sql query (one, as opposed to five), and can use another sql server if the first one is dead or returns no result (which is why I said pseudo-redundant). If anyone's interested, the modification is something like this: local-config.conf: ================================== local-config { ... dynamic-clients { sql-nas="SELECT CONCAT('|', shortname, '|', secret , '|', type , '|', IF(ISNULL(server),'',server), '|') FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'" } ... } policy.conf: ================================== policy { ... # SQL expansion: query from Tmp-String-0, result stored on Tmp-String-1 expand_sql1 { if (control:Tmp-String-0) { update control { Tmp-String-1 := "%{sql-expansion-1: %{control:Tmp-String-0}}" } } } expand_sql2 { if (control:Tmp-String-0) { update control { Tmp-String-1 := "%{sql-expansion-2: %{control:Tmp-String-0}}" } } } expand_sql_redundant { expand_sql1 if (! "%{control:Tmp-String-1}") { expand_sql2 } } ... } sites-available/dynamic-clients: ================================== server dynamic_client_server { ... authorize { update control { Tmp-String-0 := "${local-config.dynamic-clients.sql-nas}" } expand_sql_redundant if (control:Tmp-String-1 =~ /\\|(.*?)\\|(.*?)\\|(.*?)\\|(.*?)\\|/) { update control { FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}" FreeRADIUS-Client-Shortname = "%{1}" FreeRADIUS-Client-Secret = "%{2}" FreeRADIUS-Client-NAS-Type = "%{3}" FreeRADIUS-Client-Virtual-Server = "%{4}" } } ok } ... } -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html