From: Nick Porter <nick@portercomputing.co.uk>
Date: Wed, 17 Jul 2024 16:11:49 +0000 (+0100)
Subject: Mark attribute containing SQL query as safe
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d2ee6aeea774506667bd8db7ceb4bea27cd4f4ca;p=thirdparty%2Ffreeradius-server.git

Mark attribute containing SQL query as safe

Previously the query in an SQL map was not being escaped.
Now it is, the ' in the query will be escaped if the string is not
marked as safe.
---

diff --git a/src/tests/modules/sql/map.unlang b/src/tests/modules/sql/map.unlang
index bc09307115a..6c93782a802 100644
--- a/src/tests/modules/sql/map.unlang
+++ b/src/tests/modules/sql/map.unlang
@@ -225,7 +225,7 @@ if !(&control.NAS-Port == 0) {
 	test_fail
 }
 
-&sqlcmd := "SELECT * FROM radusergroup WHERE priority <= 1 AND username = '%{User-Name}'"
+&sqlcmd := %sql.safe("SELECT * FROM radusergroup WHERE priority <= 1 AND username = '%sql.escape(%{User-Name})'")
 
 # Clear the control list
 &control -= &User-Name[*]