[mapserver-users] substitution in a PostGIS layer .. ?

Daniel Morissette dmorissette at mapgears.com
Wed Jul 13 09:07:00 EDT 2011


On 11-07-13 08:41 AM, Julien Cigar wrote:
> OK.. I missed the "(must validate against DATAPATTERN)" part.
>
> I added "SPID_validation_pattern" "^[0-9]+$" in my METADATA and it works !
>
> However, it looks a little "hackish" to me .. I wondered if Mapserver
> uses PQescapeStringConn() in background? In other words: is
> _validation_pattern the only way to protect against SQL injection? What
> it I allow a pattern that may take part in a SQL injection (like ', #,
> ..) ?
>

The %variable% replacement stuff does not attempt to do any kind of 
escaping at the moment, so yes you are on your own with your validation 
pattern.

-- 
Daniel Morissette
http://www.mapgears.com/
Provider of Professional MapServer Support since 2000



More information about the mapserver-users mailing list