[RADIATOR] Using SQL statements inside a PostAuthHook
Heikki Vatiainen
hvn at open.com.au
Mon Mar 18 12:03:36 CDT 2013
On 03/17/2013 03:48 PM, Thomas Kurian wrote:
> Can you please check this hook file configuration with respect to my
> radiator configuration file (after the hook file).
> &main::log($main::LOG_DEBUG, "Running PostAuthHook: Using Identifier
> $identifier");
It's a good idea to add more plenty of log() calls.
> my $username =
> $p->getAttrByNum($Radius::Radius::User-Name);
use $Radius::Radius::USER_NAME instead
> my $sess_handle = Radius::SessGeneric::find($identifier);
>
> my $query = undef;
>
>
>
>
> $query = "select username from quotasubscribers where
> switched = 0 and type = 'Q' and monthlycounter >= maxquota ";
> my $sth = $sess_handle->prepareAndExecute($query);
Once you have $sth, use something like this this process just the first
result. The query you have looks like it will return multiple results
since you are not restricting the search by the username.
my @row = $self->getOneRow($sth);
$sth->finish;
my $db_user_name = $row[0] if @row;
> if ( $sth eq $username )
if ($db_user_name eq $username)
> {
> my $content = get(
> URI->new('http://94.187.187.8:8123/changespeed.aspx?uname=' .
> uri_escape($username) .
> '&password=XXXXX')
> );
> }
>
> }
You should always be careful with data submitted by user, such as the
User-Name. If you need to use e.g. User-Name in a SQL query, use
prepared statements or quote() provided by SqlDb.pm. I would also make
sure uri_escape and HTTP server work correctly when passed random or
malicious data if User-Name is not sanitized beforehand.
Thanks,
Heikki
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list