[mapserver-users] substitution in a PostGIS layer .. ?
Daniel Morissette
dmorissette at mapgears.com
Wed Jul 13 06:07:00 PDT 2011
On 11-07-13 08:41 AM, Julien Cigar wrote:
> OK.. I missed the "(must validate against DATAPATTERN)" part.
>
> I added "SPID_validation_pattern" "^[0-9]+$" in my METADATA and it works !
>
> However, it looks a little "hackish" to me .. I wondered if Mapserver
> uses PQescapeStringConn() in background? In other words: is
> _validation_pattern the only way to protect against SQL injection? What
> it I allow a pattern that may take part in a SQL injection (like ', #,
> ..) ?
>
The %variable% replacement stuff does not attempt to do any kind of
escaping at the moment, so yes you are on your own with your validation
pattern.
--
Daniel Morissette
http://www.mapgears.com/
Provider of Professional MapServer Support since 2000
More information about the MapServer-users
mailing list