(RADIATOR) AuthBy SQL problem
Robert Blayzor
noc at inoc.net
Wed Oct 15 12:04:23 CDT 2003
On 10/15/03 10:27 AM, "Adam Pogorzelski" <kwaz at intelcom.pl> wrote:
> I have such a problem. I have users in mysql database, and few so called
> multilogin users. These multilogins have simple passwords created by
> username, for example ppp/ppp. Problem is, that i need to authenticate
> these combination as the same user:
> ppp/ppp, PPP/PPP, ppp/PPP, PPP/ppp.
> For now i am including to one Handler two authby's config files,
> one with normal AuthSelect, and second with Authselect 'select
> ucase(PASSWORD)'.
Seems like it's more work than it's worth. You have some options...
Add the directive in Radiator to ignore the case of passwords. So that
"PaSSwoRD" would match "PASSWORD". You can also rewrite the username with a
regex to force the username to lowercase before handling it in an authby..
> Because i have many Handlers, and for each Handler is two configs, i want
> to minimize all configuration.
> So my question is: is it possible to put in AuthBy clause two AuthSelect's ?
> Similiar to AuthByPolicy ?
For what reason if you just "IgnoreCase" on the password... ?
> ps. I may be wrong, but does Radiator isn't sql injection aware ?
> Sat Oct 11 06:51:57 2003: ERR: do failed for 'insert into radauthlog
> values (1065847917,'~}#','F~~}#@!}!}'} }4',1,'No such
> user','DNIS','CLID')': You have an error in your SQL syntax near '}
> }4',1,'No such user','DNIS','CLID')' at line 1
> S
Tell Radiator what characters are valid in Usernames and you won't see
this...
ie: UsernameCharset a-zA-Z0-9\._ at -
Or you could do something like:
RewriteUsername s/[^\w.@\-\_]/\?/g
Which strips out any bogus characters we don't except and replaces they with
a "?" Which should be SQL friendly...
--
Robert Blayzor, BOFH
INOC, LLC
rblayzor at inoc.net
PGP: http://www.inoc.net/~dev/
Key fingerprint = A445 7D1E 3D4F A4EF 6875 21BB 1BAA 10FE 5748 CFE9
Mac OS X. Because making Unix user-friendly is easier than debugging
Windows.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list