Validating filters...

[Frank Warmerdam]

Steve Lime wrote:
> Hi guys: Question for the driver maintainers. What do the various drivers do
> to validate layer->filter values before they are passed to the underlying
> processing engine. The reason I ask is that attribute queries pass the value
> for qstring directly from the URL to the driver via the FILTER. That code
> doesn't attempt to sanitize the value at all. It doesn't know what to escape
> for say with PostgresSQL vs. SDE vs. Oracle. I'm worried about the
> possibility of SQL injection...

Steve,

OGR itself makes no effort to sanitize or check attribute filters before
evaluating them against the datastore - ie. run them inside the database.

I skimmed mapogr.cpp and there is no sign of checking there either.

So, I think it is quite dangerous to default to allowing the FILTER
to be overridden by url.

Best regards,
-- 
---------------------------------------+--------------------------------------
I set the clouds in motion - turn up   | Frank Warmerdam, warmerdam at pobox.com
light and sound - activate the windows | http://pobox.com/~warmerdam
and watch the world go round - Rush    | President OSGeo, http://osgeo.org