[mapserver-users] Dynamin SQL with mapserver CGI?

umn-ms at hydrotec.de umn-ms at hydrotec.de
Mon Jan 26 05:42:38 EST 2009 

> Not any great hazard, I believe, ...

Mmh. I'd be cautious.

Example:
* Mapfile:
   DATA "the_geom from buildings"

* Set Filter via URL to this:
  1=1);DELETE FROM OTHERTABLE; DECLARE X BINARY CURSOR FOR SELECT * from 
buildings WHERE (1=1

I think Mapserver will create the following statements: (I've added 
newlines)
DECLARE mycursor BINARY CURSOR FOR SELECT the_geom from buildings WHERE 
(1=1);
DELETE FROM OTHERTABLE; 
DECLARE X BINARY CURSOR FOR SELECT * from buildings WHERE (1=1) and (%s && 
setSRID( ...) )

Mapserver calls PQExec with these statements. PQExec will execute every 
statement and will return 
the results of the last one.

Bye
Benedikt Rothe


"Rahkonen Jukka" <Jukka.Rahkonen at mmmtike.fi> schrieb am 26.01.2009 
09:34:31:

> Hi,
> 
> Not any great hazard, I believe, if it means that user can normally 
> get all the features, but only a subset when filter is set.  It is 
> different case if DATA clause is manipulated, and therefore that 
> must be connected to DATAPATTERN.
> 
> -Jukka Rahkonen-
> 
> Lähettäjä: mapserver-users-bounces at lists.osgeo.org [mailto:
> mapserver-users-bounces at lists.osgeo.org] Puolesta umn-ms at hydrotec.de
> Lähetetty: 26. tammikuuta 2009 10:03
> Vastaanottaja: MapServer
> Aihe: Re: [mapserver-users] Dynamin SQL with mapserver CGI?

> 
> Hi 
> 
> > You can use a replaceable parameter in the FILTER clause if all you 
... 
> This introduces the hazard of SQL-Injection, doesn't it? 
> 
> Bye 
> Benedikt Rothe 
> 
> mapserver-users-bounces at lists.osgeo.org schrieb am 24.01.2009 14:04:42:
> 
> > On Sat, Jan 24, 2009 at 3:18 AM, Saka Royban <srph124 at yahoo.com> 
wrote:
> > > Hi all
> > > I'm looking for a way to change SQL dynamically via URL parameters. 
it
> > > sounds from doc that changing DATA element in map file is 
impossible. Is
> > > there any other way?
> > 
> > You can use a replaceable parameter in the FILTER clause if all you
> > want to do is alter the WHERE clause. So for example:
> >    FILTER "%criteria%"
> > and
> >   criteria=id='value'
> > would work with a database like Postgres.
> > 
> > When working with a database you put the whole SQL WHERE clause in the
> > FILTER, whereas with shapefiles or ORG data sources you use the
> > FILTERITEM and FILTER.
> > 
> > -- 
> > Richard Greenwood
> > richard.greenwood at gmail.com
> > www.greenwoodmap.com
> > _______________________________________________
> > mapserver-users mailing list
> > mapserver-users at lists.osgeo.org
> > http://lists.osgeo.org/mailman/listinfo/mapserver-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.osgeo.org/pipermail/mapserver-users/attachments/20090126/7fd8ef06/attachment.html

More information about the mapserver-users mailing list