[mapserver-users] substitution in a PostGIS layer .. ?
Julien Cigar
jcigar at ulb.ac.be
Wed Jul 13 08:41:48 EDT 2011
OK.. I missed the "(must validate against DATAPATTERN)" part.
I added "SPID_validation_pattern" "^[0-9]+$" in my METADATA and it works !
However, it looks a little "hackish" to me .. I wondered if Mapserver
uses PQescapeStringConn() in background? In other words: is
_validation_pattern the only way to protect against SQL injection? What
it I allow a pattern that may take part in a SQL injection (like ', #, ..) ?
Thanks,
Julien
On 07/13/2011 14:29, Julien Cigar wrote:
> Hello,
>
> I have the following mapfile: http://www.pastie.org/2206896 with the
> following SLD: http://www.pastie.org/2206902 (generated dynamically)
>
> I wondered how can I change the WHERE sp.id=%SPID% in the subselect
> (following a CGI parameter)?
>
> I read http://mapserver.org/cgi/runsub.html, and tried with %SPID% (by
> passwing &SPID=3 in my URL) but it doesn't seems to work ... any idea?
>
> Thanks,
> Julien
>
>
>
> _______________________________________________
> mapserver-users mailing list
> mapserver-users at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/mapserver-users
--
No trees were killed in the creation of this message.
However, many electrons were terribly inconvenienced.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: jcigar.vcf
Type: text/x-vcard
Size: 292 bytes
Desc: not available
Url : http://lists.osgeo.org/pipermail/mapserver-users/attachments/20110713/257d8f0f/jcigar.vcf
More information about the mapserver-users
mailing list