<br><tt><font size=2>> Not any great hazard, I believe, ...</font></tt>
<br>
<br><font size=2 face="Arial">Mmh. I'd be cautious.</font>
<br>
<br><font size=2 face="Arial">Example:</font>
<br><font size=2 face="Arial">* Mapfile:</font>
<br><font size=2 face="Arial"> DATA "the_geom from buildings"<br>
</font>
<br><font size=2 face="Arial">* Set Filter via URL to this:</font>
<br><font size=2 face="Arial"> 1=1);DELETE FROM OTHERTABLE; DECLARE
X BINARY CURSOR FOR SELECT * from buildings WHERE (1=1</font>
<br>
<br><font size=2 face="Arial">I think Mapserver will create the following
statements: (I've added newlines)</font>
<br><font size=2 face="Arial">DECLARE mycursor BINARY CURSOR FOR SELECT
the_geom from buildings WHERE (1=1);</font>
<br><font size=2 face="Arial">DELETE FROM OTHERTABLE; </font>
<br><font size=2 face="Arial">DECLARE X BINARY CURSOR FOR SELECT * from
buildings WHERE (1=1) and (%s && setSRID( ...) )</font>
<br>
<br><font size=2 face="Arial">Mapserver calls PQExec with these statements.
PQExec will execute every statement and will return </font>
<br><font size=2 face="Arial">the results of the last one.</font>
<br>
<br><font size=2 face="Arial">Bye</font>
<br><font size=2 face="Arial">Benedikt Rothe</font>
<br>
<br>
<br><tt><font size=2>"Rahkonen Jukka" <Jukka.Rahkonen@mmmtike.fi>
schrieb am 26.01.2009 09:34:31:<br>
<br>
> Hi,</font></tt>
<br><tt><font size=2>> </font></tt>
<br><tt><font size=2>> Not any great hazard, I believe, if it means
that user can normally <br>
> get all the features, but only a subset when filter is set. It
is <br>
> different case if DATA clause is manipulated, and therefore that <br>
> must be connected to DATAPATTERN.</font></tt>
<br><tt><font size=2>> </font></tt>
<br><tt><font size=2>> -Jukka Rahkonen-</font></tt>
<br><tt><font size=2>> <br>
> Lähettäjä: mapserver-users-bounces@lists.osgeo.org [mailto:<br>
> mapserver-users-bounces@lists.osgeo.org] Puolesta umn-ms@hydrotec.de<br>
> Lähetetty: 26. tammikuuta 2009 10:03<br>
> Vastaanottaja: MapServer<br>
> Aihe: Re: [mapserver-users] Dynamin SQL with mapserver CGI?<br>
</font></tt>
<br><tt><font size=2>> <br>
> Hi <br>
> <br>
> > You can use a replaceable parameter in the FILTER clause if all
you ... <br>
> This introduces the hazard of SQL-Injection, doesn't it? <br>
> <br>
> Bye <br>
> Benedikt Rothe <br>
> <br>
> mapserver-users-bounces@lists.osgeo.org schrieb am 24.01.2009 14:04:42:<br>
> <br>
> > On Sat, Jan 24, 2009 at 3:18 AM, Saka Royban <srph124@yahoo.com>
wrote:<br>
> > > Hi all<br>
> > > I'm looking for a way to change SQL dynamically via URL
parameters. it<br>
> > > sounds from doc that changing DATA element in map file is
impossible. Is<br>
> > > there any other way?<br>
> > <br>
> > You can use a replaceable parameter in the FILTER clause if all
you<br>
> > want to do is alter the WHERE clause. So for example:<br>
> > FILTER "%criteria%"<br>
> > and<br>
> > criteria=id='value'<br>
> > would work with a database like Postgres.<br>
> > <br>
> > When working with a database you put the whole SQL WHERE clause
in the<br>
> > FILTER, whereas with shapefiles or ORG data sources you use the<br>
> > FILTERITEM and FILTER.<br>
> > <br>
> > -- <br>
> > Richard Greenwood<br>
> > richard.greenwood@gmail.com<br>
> > www.greenwoodmap.com<br>
> > _______________________________________________<br>
> > mapserver-users mailing list<br>
> > mapserver-users@lists.osgeo.org<br>
> > http://lists.osgeo.org/mailman/listinfo/mapserver-users</font></tt>