Mark attribute containing SQL query as safe

Previously the query in an SQL map was not being escaped.
Now it is, the ' in the query will be escaped if the string is not
marked as safe.

diff --git a/src/tests/modules/sql/map.unlang b/src/tests/modules/sql/map.unlang
index bc09307115ada923bfdbb57b75abe23050c8260d..6c93782a80264c2de8c38ed91ba0844a3fa5c1da 100644 (file)
--- a/src/tests/modules/sql/map.unlang
+++ b/src/tests/modules/sql/map.unlang
@@ -225,7 +225,7 @@ if !(&control.NAS-Port == 0) {
        test_fail
 }
 
-&sqlcmd := "SELECT * FROM radusergroup WHERE priority <= 1 AND username = '%{User-Name}'"
+&sqlcmd := %sql.safe("SELECT * FROM radusergroup WHERE priority <= 1 AND username = '%sql.escape(%{User-Name})'")
 
 # Clear the control list
 &control -= &User-Name[*]