On Jan 12, 2024, at 6:11 AM, Benoît Panizzon via sr-users <sr-users(a)lists.kamailio.org> wrote: Hi Daniel Thank you for your confirmation I was on the right track. Any recipe on how to solve if the value is the 'authentication' password taken from the database? As far as I understood the SIP RFC a comma is permitted in the SIP password itself, as it is never present cleartext in a sip header. Quick example of what I do when receiving a REGISTER with credentials to pull the password: $var(query) = "select user,password,language from sometable where auth_user = '" + $var(auth_user) + "' limit 1"; $var(qresult) = sql_xquery("database", "$var(query)", "userdata"); xavp_params_implode("userdata","$var(xuserdata)"); $var(xuserdata) is "user=JohnDoe;password=secret,password;language=de_CH" This is the stored in an $sht to be cached and available for a while and reducde SQL queries. I guess there is no way to have sql_xquery automatically quote result fields that need quoting. I could probably do select user,concat('"',password,'"'),language from sometable? This could also be a potential issue with variable injections via SQL. Immagine some use sets a password ";var=value" this would lead to this var being overwritten I guess. We are moving towards storing ha1 hashed passwords, so that would solve my issue I guess. -- Mit freundlichen Grüssen -Benoît Panizzon- @ HomeOffice und normal erreichbar -- I m p r o W a r e A G - Leiter Commerce Kunden ______________________________________________________ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 Pratteln Fax +41 61 826 93 01 Schweiz Web http://www.imp.ch ______________________________________________________ __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave(a)lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe: