[postgis-users] Postgres Geoportal SQL Injection Defense (Nicholas Tapia)
Nicholas Tapia
tapia.nicholas at gmail.com
Tue Jan 21 21:08:04 PST 2014
Thank You Regina, Ben, and Brent for your responses, much appreciated!
Your words gave me the help I needed and I'm now moving on towards making
my PostGIS Geoportal a reality...but apparently people do this thing
called...malicious hacking. And for databases they do it with sql
injection.
So my question is: What kind of security issues do I need to be aware of
for my specific use case?
My use case is to allow a user to download shapefiles from a web browser
using their own queries as input for pgsql2shp or ogr2ogr.
For example, they would access the webpage, write a query in a box (and/or
with the help of a cleverly designed interface), and download the built
shape file via email when it is ready. I would also like to allow the
first 50 rows to be returned to test their query and test the result of the
query
I've checked out:
http://workshops.boundlessgeo.com/postgis-intro/security.html
'sql injection attack and defense' 2nd edition
http://gis.stackexchange.com/questions/76319/what-is-the-most-common-way-of-displaying-geodata-from-postgis-on-leaflet/76324#76324
Thanks!
-Nicholas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/postgis-users/attachments/20140122/0e0976fa/attachment.html>
More information about the postgis-users
mailing list