[mapserver-dev] Binding SQL Parameters
Dan Little
danlittle at yahoo.com
Mon Jul 6 15:06:51 EDT 2009
I've been spending sometime thinking about SQL injection and about filtering complex queries directly through the mapfile.
I've been playing with the mappostgis.c file. I am replacing PQexec with a msPostGISExecute function. msPostGISExecute determines whether or not parameters (to be bound) have been passed into the query. If it determines they do exist, then the PQexecParams function is used.
Right now, however, I am using a total hack to read the bound parameters... I'm using metadata containing a "|" pipe delimited list. It works for my dataset but there could exist those that actually use the pipe character as a valid value. I would like to add a keyword, or at least have some one suggest a better way to store an array, into the layer. Is there any thoughts on a good keyword name? Thoughts on a fomat? Is there a better way to store an array inside of metadata?
Of course, I'm working completely outside of an RFC ... if one were established I would work inside it's parameters I have a short term need but would be willing to revise my maverick work. I have two projects (one in PostGIS, one in Oracle) that could both really use this functionality (so there is some sponsorship for my time to get this done). I also see it as providing a solution set for a number of folks looking to do the dynamic CGI mapping.
Thanks,
-Duck
More information about the mapserver-dev
mailing list