[mapserver-users] substitution in a PostGIS layer .. ?
Hello, I have the following mapfile: http://www.pastie.org/2206896 with the following SLD: http://www.pastie.org/2206902 (generated dynamically) I wondered how can I change the WHERE sp.id=%SPID% in the subselect (following a CGI parameter)? I read http://mapserver.org/cgi/runsub.html, and tried with %SPID% (by passwing SPID=3 in my URL) but it doesn't seems to work ... any idea? Thanks, Julien -- No trees were killed in the creation of this message. However, many electrons were terribly inconvenienced. attachment: jcigar.vcf___ mapserver-users mailing list mapserver-users@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/mapserver-users
Re: [mapserver-users] substitution in a PostGIS layer .. ?
OK.. I missed the (must validate against DATAPATTERN) part. I added SPID_validation_pattern ^[0-9]+$ in my METADATA and it works ! However, it looks a little hackish to me .. I wondered if Mapserver uses PQescapeStringConn() in background? In other words: is _validation_pattern the only way to protect against SQL injection? What it I allow a pattern that may take part in a SQL injection (like ', #, ..) ? Thanks, Julien On 07/13/2011 14:29, Julien Cigar wrote: Hello, I have the following mapfile: http://www.pastie.org/2206896 with the following SLD: http://www.pastie.org/2206902 (generated dynamically) I wondered how can I change the WHERE sp.id=%SPID% in the subselect (following a CGI parameter)? I read http://mapserver.org/cgi/runsub.html, and tried with %SPID% (by passwing SPID=3 in my URL) but it doesn't seems to work ... any idea? Thanks, Julien ___ mapserver-users mailing list mapserver-users@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/mapserver-users -- No trees were killed in the creation of this message. However, many electrons were terribly inconvenienced. attachment: jcigar.vcf___ mapserver-users mailing list mapserver-users@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/mapserver-users
Re: [mapserver-users] substitution in a PostGIS layer .. ?
On 11-07-13 08:41 AM, Julien Cigar wrote: OK.. I missed the (must validate against DATAPATTERN) part. I added SPID_validation_pattern ^[0-9]+$ in my METADATA and it works ! However, it looks a little hackish to me .. I wondered if Mapserver uses PQescapeStringConn() in background? In other words: is _validation_pattern the only way to protect against SQL injection? What it I allow a pattern that may take part in a SQL injection (like ', #, ..) ? The %variable% replacement stuff does not attempt to do any kind of escaping at the moment, so yes you are on your own with your validation pattern. -- Daniel Morissette http://www.mapgears.com/ Provider of Professional MapServer Support since 2000 ___ mapserver-users mailing list mapserver-users@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/mapserver-users
Re: [mapserver-users] substitution in a PostGIS layer .. ?
On 07/13/2011 15:07, Daniel Morissette wrote: On 11-07-13 08:41 AM, Julien Cigar wrote: OK.. I missed the (must validate against DATAPATTERN) part. I added SPID_validation_pattern ^[0-9]+$ in my METADATA and it works ! However, it looks a little hackish to me .. I wondered if Mapserver uses PQescapeStringConn() in background? In other words: is _validation_pattern the only way to protect against SQL injection? What it I allow a pattern that may take part in a SQL injection (like ', #, ..) ? The %variable% replacement stuff does not attempt to do any kind of escaping at the moment, so yes you are on your own with your validation pattern. This may be a stupid question but: is there a reason why PQescapeStringConn() is not used to do the substitution? Thanks, Julien -- No trees were killed in the creation of this message. However, many electrons were terribly inconvenienced. attachment: jcigar.vcf___ mapserver-users mailing list mapserver-users@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/mapserver-users
Re: [mapserver-users] substitution in a PostGIS layer .. ?
Julien Cigar wrote: This may be a stupid question but: is there a reason why PQescapeStringConn() is not used to do the substitution? Perhaps because Mapserver does not support just PostgreSQL but also Oracle, SQL Server, MySQL, Informix, CouchDB etc. Therefore it is good to have some general purpose validation system. Of cause more sophisticated systems for each datastore would not harm. -Jukka Rahkonen- Thanks, Julien ___ mapserver-users mailing list mapserver-users@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/mapserver-users