[UMN_MAPSERVER-USERS] mapserver 5 expression

John Cole john.cole at UAI.COM
Fri Aug 31 11:35:47 EDT 2007


I had asked a question about url substitution being a possible SQL injection
attack.  When I have had to do this kind of substitution in the mapfile,
I've resorted to a proxy that scrubbed the parameters, ensuring that they
are the expected type, but I would love either assurance that it isn't a
problem or for a secure solution to allow passing in parameters that are
used in sql queries.

And while expressions are processed by mapserver, it can be very easy to
want to take that same variable and put it in th SQL.  And sometimes the
people editing our mapfiles are not paranoid enough. :-)

John



Steve Lime wrote:
> 
> You are correct. Even if we re-enabled that functionality applications
> will
> break because of the syntax change in how URL configuration is handled.
> The migration guide talks about these changes.
> 
> I agree that EXPRESSIONs are not as likely to suffer from security
> problems
> although I don't like the idea of allowing it since there is no way to
> validate
> an expression without evaluating it. No security problems with that
> functionality
> have been reported. I still prefer using the runtime subs where you can
> apply
> your own checks. You can substitute entire expressions that way too.
> 
> Cc'ing mapserver-dev
> 
> Steve
> 
> 

-- 
View this message in context: http://www.nabble.com/Re%3A--UMN_MAPSERVER-USERS--mapserver-5-expression-tf4360622.html#a12428827
Sent from the Mapserver - Dev mailing list archive at Nabble.com.



More information about the mapserver-dev mailing list