[mapserver-users] Dynamic mapping with CGI parameters

Colin Wetherbee cww at denterprises.org
Tue Feb 26 12:16:18 PST 2008 

Greetings.

I have a fledgling MapServer application that uses PostgreSQL as its 
back-end.  Each set of data I would like to retrieve from PostgreSQL is 
specific to a certain user.  Currently, since the application is only in 
an alpha phase, I have MapServer retrieve the aggregate sum of the data 
in the database and display it on my map.  This isn't going to work for 
the real application, since different users need to see different sets 
of data.

I would like to do one of two things, but I've been poring over the 
documentation today and can't find any way to achieve either.  I would 
very much appreciate some assistance.  My two approaches are as follows, 
but if there are others, I would certainly be open to implementing 
something different.

Approach #1:

Since my application is written in Perl, I could use MapScript in Perl 
to generate bits of maps and return them to the browser as needed.  Perl 
would interpret cookies and perform session authentication before 
generating a customized map file to pass along to MapServer.  The Perl 
code [0] would look something like:

sub GetMapPiece()
{
   $req = new mapscript::OWSRequest();
   $req->setParameter("SERVICE", "WMS");
   $req->setParameter("VERSION", "1.1.0");
   $req->setParameter("REQUEST", $something);

   # The next two lines are the important ones...
   my $mapFile = GenerateMapFile({ userid => $someUserId });
   my $mapObj = new mapscript::mapObj($mapFile);

   mapscript::msIO_installStdoutToBuffer();
   my $dispatch_out = $map->OWSDispatch($req);
   return mapscript::msIO_getStdoutBufferString();
}

The problem with this is that, as far as I can tell, I can't create a 
mapObj from anything other than a file on disk.  I would like $mapFile 
to contain the full text of a dynamically created map file, and I would 
then like to be able to create a new mapObj from it.  My imaginary 
GenerateMapFile() function would generate the text for the map file, but 
it would never be saved to disk.

Approach #2:

This would be my preferred method, but from what I've read, I think 
approach #1 is more likely to happen.

This approach entails passing a CGI parameter to mapserv that could be 
substituted somewhere in the map file.  For example, the URL could be:

http://example.com/cgi-bin/mapserv?userid=1234

Then, the map file could contain something like:

     DATA "line FROM (
         SELECT num, id, line
         FROM jsview_journeyroutes
         WHERE us_id = {userid}
       ) AS foo USING UNIQUE id USING SRID=4326"

And, MapServer would see "WHERE us_id = {userid}" and, for {userid}, 
substitute the 1234 that was passed into mapserv as a CGI parameter.

Of course, doing this directly would cause nasty SQL injection attack 
problems, but I could properly sanitize the input with Perl.  No big 
deal there.

End Approaches.

Any thoughts on this?

Thanks.

Colin

[0] Adapted from 
<http://mapserver.gis.umn.edu/docs/howto/wxs_mapscript/#perl-example>.

More information about the MapServer-users mailing list