[mapserver-dev] Binding SQL Parameters
Steve Lime
Steve.Lime at dnr.state.mn.us
Mon Jul 6 15:53:49 EDT 2009
Can you post an example of what your mapfile config looks like now?
>>> On 7/6/2009 at 2:06 PM, in message
<381164.32216.qm at web51410.mail.re2.yahoo.com>, Dan Little <danlittle at yahoo.com>
wrote:
> I've been spending sometime thinking about SQL injection and about filtering
> complex queries directly through the mapfile.
>
> I've been playing with the mappostgis.c file. I am replacing PQexec with a
> msPostGISExecute function. msPostGISExecute determines whether or not
> parameters (to be bound) have been passed into the query. If it determines
> they do exist, then the PQexecParams function is used.
>
> Right now, however, I am using a total hack to read the bound parameters...
> I'm using metadata containing a "|" pipe delimited list. It works for my
> dataset but there could exist those that actually use the pipe character as a
> valid value. I would like to add a keyword, or at least have some one
> suggest a better way to store an array, into the layer. Is there any
> thoughts on a good keyword name? Thoughts on a fomat? Is there a better way
> to store an array inside of metadata?
>
> Of course, I'm working completely outside of an RFC ... if one were
> established I would work inside it's parameters I have a short term need but
> would be willing to revise my maverick work. I have two projects (one in
> PostGIS, one in Oracle) that could both really use this functionality (so
> there is some sponsorship for my time to get this done). I also see it as
> providing a solution set for a number of folks looking to do the dynamic CGI
> mapping.
>
> Thanks,
>
> -Duck
>
>
>
> _______________________________________________
> mapserver-dev mailing list
> mapserver-dev at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/mapserver-dev
More information about the mapserver-dev
mailing list