[mapserver-users] Dynamin SQL with mapserver CGI?

umn-ms at hydrotec.de umn-ms at hydrotec.de
Mon Jan 26 03:03:17 EST 2009


Hi 

> You can use a replaceable parameter in the FILTER clause if all you ...
This introduces the hazard of SQL-Injection, doesn't it?

Bye
Benedikt Rothe

mapserver-users-bounces at lists.osgeo.org schrieb am 24.01.2009 14:04:42:

> On Sat, Jan 24, 2009 at 3:18 AM, Saka Royban <srph124 at yahoo.com> wrote:
> > Hi all
> > I'm looking for a way to change SQL dynamically via URL parameters. it
> > sounds from doc that changing DATA element in map file is impossible. 
Is
> > there any other way?
> 
> You can use a replaceable parameter in the FILTER clause if all you
> want to do is alter the WHERE clause. So for example:
>    FILTER "%criteria%"
> and
>   criteria=id='value'
> would work with a database like Postgres.
> 
> When working with a database you put the whole SQL WHERE clause in the
> FILTER, whereas with shapefiles or ORG data sources you use the
> FILTERITEM and FILTER.
> 
> -- 
> Richard Greenwood
> richard.greenwood at gmail.com
> www.greenwoodmap.com
> _______________________________________________
> mapserver-users mailing list
> mapserver-users at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/mapserver-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.osgeo.org/pipermail/mapserver-users/attachments/20090126/60229fc6/attachment.html


More information about the mapserver-users mailing list