Validating filters...

Steve Lime Steve.Lime at DNR.STATE.MN.US
Fri Aug 31 11:02:03 EDT 2007


Hi guys: Question for the driver maintainers. What do the various drivers do to validate layer->filter values before they are passed to the underlying processing engine. The reason I ask is that attribute queries pass the value for qstring directly from the URL to the driver via the FILTER. That code doesn't attempt to sanitize the value at all. It doesn't know what to escape for say with PostgresSQL vs. SDE vs. Oracle. I'm worried about the possibility of SQL injection...

Steve



More information about the mapserver-dev mailing list