[mapserver-users] Dynamin SQL with mapserver CGI?

Fawcett, David David.Fawcett at state.mn.us
Mon Jan 26 09:47:48 EST 2009 

Of course, part of security is also having your application hit your database as a user that only has the rights that it needs.  If your user only has select rights on only the data that you want to expose, that should help limit some of these issues.

	-----Original Message-----
	From: mapserver-users-bounces at lists.osgeo.org [mailto:mapserver-users-bounces at lists.osgeo.org] On Behalf Of umn-ms at hydrotec.de
	Sent: Monday, January 26, 2009 4:43 AM
	To: MapServer
	Subject: Re: [mapserver-users] Dynamin SQL with mapserver CGI?
	
	

	> Not any great hazard, I believe, ... 
	
	Mmh. I'd be cautious. 
	
	Example: 
	* Mapfile: 
	   DATA "the_geom from buildings"
	
	* Set Filter via URL to this: 
	  1=1);DELETE FROM OTHERTABLE; DECLARE X BINARY CURSOR FOR SELECT * from buildings WHERE (1=1 
	
	I think Mapserver will create the following statements: (I've added newlines) 
	DECLARE mycursor BINARY CURSOR FOR SELECT the_geom from buildings WHERE (1=1); 
	DELETE FROM OTHERTABLE; 
	DECLARE X BINARY CURSOR FOR SELECT * from buildings WHERE (1=1) and (%s && setSRID( ...) ) 
	
	Mapserver calls PQExec with these statements. PQExec will execute every statement and will return 
	the results of the last one. 
	
	Bye 
	Benedikt Rothe 
	
	
	"Rahkonen Jukka" <Jukka.Rahkonen at mmmtike.fi> schrieb am 26.01.2009 09:34:31:
	
	> Hi, 
	>   
	> Not any great hazard, I believe, if it means that user can normally 
	> get all the features, but only a subset when filter is set.  It is 
	> different case if DATA clause is manipulated, and therefore that 
	> must be connected to DATAPATTERN. 
	>   
	> -Jukka Rahkonen- 
	> 
	> Lähettäjä: mapserver-users-bounces at lists.osgeo.org [mailto:
	> mapserver-users-bounces at lists.osgeo.org] Puolesta umn-ms at hydrotec.de
	> Lähetetty: 26. tammikuuta 2009 10:03
	> Vastaanottaja: MapServer
	> Aihe: Re: [mapserver-users] Dynamin SQL with mapserver CGI?
	
	> 
	> Hi 
	> 
	> > You can use a replaceable parameter in the FILTER clause if all you ... 
	> This introduces the hazard of SQL-Injection, doesn't it? 
	> 
	> Bye 
	> Benedikt Rothe 
	> 
	> mapserver-users-bounces at lists.osgeo.org schrieb am 24.01.2009 14:04:42:
	> 
	> > On Sat, Jan 24, 2009 at 3:18 AM, Saka Royban <srph124 at yahoo.com> wrote:
	> > > Hi all
	> > > I'm looking for a way to change SQL dynamically via URL parameters. it
	> > > sounds from doc that changing DATA element in map file is impossible. Is
	> > > there any other way?
	> > 
	> > You can use a replaceable parameter in the FILTER clause if all you
	> > want to do is alter the WHERE clause. So for example:
	> >    FILTER "%criteria%"
	> > and
	> >   criteria=id='value'
	> > would work with a database like Postgres.
	> > 
	> > When working with a database you put the whole SQL WHERE clause in the
	> > FILTER, whereas with shapefiles or ORG data sources you use the
	> > FILTERITEM and FILTER.
	> > 
	> > -- 
	> > Richard Greenwood
	> > richard.greenwood at gmail.com
	> > www.greenwoodmap.com
	> > _______________________________________________
	> > mapserver-users mailing list
	> > mapserver-users at lists.osgeo.org
	> > http://lists.osgeo.org/mailman/listinfo/mapserver-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.osgeo.org/pipermail/mapserver-users/attachments/20090126/8846c11f/attachment.html

More information about the mapserver-users mailing list