MapServer & PostGIS Security
pramsey at REFRACTIONS.NET
Fri Dec 22 19:22:26 EST 2006
Additionally, tighten up your PgSQL connection rules, make sure only
your mapserver box can connect to the postgresql instance.
And make sure you don't have a DATAPATTERN set, so that people can't
override your data statement remotely and play SQL injection games.
On 22-Dec-06, at 3:47 PM, Bill Thoen wrote:
> I've just recently got MapServer going with data from a PostGIS
> and I'd like to know what the "best practices" are in terms of
> The problem I see is that you have to put a PostGIS username and
> in your mapfile on the CONNECTION line, which is easily viewed by
> So what I've done is moved my mapfile out of the html directory
> tree and
> am also using a user with read-only privs to the tables I want to
> and access to nothing else. But what do people who know what
> they're doing
> do to ensure that there are no security holes?
> - Bill Thoen
More information about the mapserver-users