[mapserver-users] Dynamin SQL with mapserver CGI?

[Rahkonen Jukka]

Hi,
 
Not any great hazard, I believe, if it means that user can normally get all the features, but only a subset when filter is set.  It is different case if DATA clause is manipulated, and therefore that must be connected to DATAPATTERN.
 
-Jukka Rahkonen-


________________________________

	Lähettäjä: mapserver-users-bounces at lists.osgeo.org [mailto:mapserver-users-bounces at lists.osgeo.org] Puolesta umn-ms at hydrotec.de
	Lähetetty: 26. tammikuuta 2009 10:03
	Vastaanottaja: MapServer
	Aihe: Re: [mapserver-users] Dynamin SQL with mapserver CGI?
	
	

	Hi 
	
	> You can use a replaceable parameter in the FILTER clause if all you ... 
	This introduces the hazard of SQL-Injection, doesn't it? 
	
	Bye 
	Benedikt Rothe 
	
	mapserver-users-bounces at lists.osgeo.org schrieb am 24.01.2009 14:04:42:
	
	> On Sat, Jan 24, 2009 at 3:18 AM, Saka Royban <srph124 at yahoo.com> wrote:
	> > Hi all
	> > I'm looking for a way to change SQL dynamically via URL parameters. it
	> > sounds from doc that changing DATA element in map file is impossible. Is
	> > there any other way?
	> 
	> You can use a replaceable parameter in the FILTER clause if all you
	> want to do is alter the WHERE clause. So for example:
	>    FILTER "%criteria%"
	> and
	>   criteria=id='value'
	> would work with a database like Postgres.
	> 
	> When working with a database you put the whole SQL WHERE clause in the
	> FILTER, whereas with shapefiles or ORG data sources you use the
	> FILTERITEM and FILTER.
	> 
	> -- 
	> Richard Greenwood
	> richard.greenwood at gmail.com
	> www.greenwoodmap.com
	> _______________________________________________
	> mapserver-users mailing list
	> mapserver-users at lists.osgeo.org
	> http://lists.osgeo.org/mailman/listinfo/mapserver-users
	

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/mapserver-users/attachments/20090126/84780718/attachment.htm>