[mapserver-users] substitution in a PostGIS layer .. ?
Julien Cigar
jcigar at ulb.ac.be
Wed Jul 13 09:08:58 EDT 2011
On 07/13/2011 15:07, Daniel Morissette wrote:
> On 11-07-13 08:41 AM, Julien Cigar wrote:
>> OK.. I missed the "(must validate against DATAPATTERN)" part.
>>
>> I added "SPID_validation_pattern" "^[0-9]+$" in my METADATA and it
>> works !
>>
>> However, it looks a little "hackish" to me .. I wondered if Mapserver
>> uses PQescapeStringConn() in background? In other words: is
>> _validation_pattern the only way to protect against SQL injection? What
>> it I allow a pattern that may take part in a SQL injection (like ', #,
>> ..) ?
>>
>
> The %variable% replacement stuff does not attempt to do any kind of
> escaping at the moment, so yes you are on your own with your validation
> pattern.
>
This may be a stupid question but: is there a reason why
PQescapeStringConn() is not used to do the substitution?
Thanks,
Julien
--
No trees were killed in the creation of this message.
However, many electrons were terribly inconvenienced.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: jcigar.vcf
Type: text/x-vcard
Size: 292 bytes
Desc: not available
Url : http://lists.osgeo.org/pipermail/mapserver-users/attachments/20110713/478d26f2/jcigar-0001.vcf
More information about the mapserver-users
mailing list