[mapserver-dev] Binding SQL Parameters

Dan Little danlittle at yahoo.com
Mon Jul 6 16:11:15 EDT 2009 

I actually have updated it to use a Mapfile keyword "BINDVALUE" ... In this example I just use BINDVALUE as an array.  Given a database like Oracle which lets the user name the parameters I think I'd try to do something like "PARAM=VALUE".  Of course, this style may be nearly impossible to duplicate over CGI.

        LAYER
                NAME 'students'
                CONNECTIONTYPE PostGIS
                CONNECTION 'dbname=ahsd user=ducky password=ducky1'
                DATA "wkb_geometry from students"
                FILTER 'elementary_school = $1 or elementary_school = $2'
                BINDVALUE '0420'
                BINDVALUE '0423'

                TYPE POINT

                STATUS DEFAULT

                CLASS
                        NAME 'Student'
                        STYLE
                                SYMBOL 'ellipse'
                                SIZE 6
                                COLOR 0 0 0
                        END
                        STYLE
                                SYMBOL 'ellipse'
                                SIZE 4
                                COLOR 255 0 0
                        END

                END

                #METADATA
                #       'bind_params' '0420|0421'
                #END
        END



----- Original Message ----
> From: Steve Lime <Steve.Lime at dnr.state.mn.us>
> To: Mapserver Dev <mapserver-dev at lists.osgeo.org>; Dan Little <danlittle at yahoo.com>
> Sent: Monday, July 6, 2009 2:53:49 PM
> Subject: Re: [mapserver-dev] Binding SQL Parameters
> 
> Can you post an example of what your mapfile config looks like now? 
> 
> >>> On 7/6/2009 at 2:06 PM, in message
> <381164.32216.qm at web51410.mail.re2.yahoo.com>, Dan Little 
> wrote:
> 
> > I've been spending sometime thinking about SQL injection and about filtering 
> > complex queries directly through the mapfile.
> > 
> > I've been playing with the mappostgis.c file.  I am replacing PQexec with a 
> > msPostGISExecute function.  msPostGISExecute determines whether or not 
> > parameters (to be bound) have been passed into the query.  If it determines 
> > they do exist, then the PQexecParams function is used.
> > 
> > Right now, however, I am using a total hack to read the bound parameters... 
> > I'm using metadata containing a "|" pipe delimited list.  It works for my 
> > dataset but there could exist those that actually use the pipe character as a 
> > valid value.  I would like to add a keyword, or at least have some one 
> > suggest a better way to store an array, into the layer.   Is there any 
> > thoughts on a good keyword name? Thoughts on a fomat? Is there a better way 
> > to store an array inside of metadata?
> > 
> > Of course, I'm working completely outside of an RFC ... if one were 
> > established I would work inside it's parameters I have a short term need but 
> > would be willing to revise my maverick work.   I have two projects (one in 
> > PostGIS, one in Oracle) that could both really use this functionality (so 
> > there is some sponsorship for my time to get this done).  I also see it as 
> > providing a solution set for a number of folks looking to do the dynamic CGI 
> > mapping.
> > 
> > Thanks,
> > 
> > -Duck
> > 
> > 
> >      
> > _______________________________________________
> > mapserver-dev mailing list
> > mapserver-dev at lists.osgeo.org 
> > http://lists.osgeo.org/mailman/listinfo/mapserver-dev

More information about the mapserver-dev mailing list