>> Same layer, but joined with different data sets. Oh, you actually want it >> to perform SQL injection so that the different joins are part of the >> request? >> If so, beware of malicious use of the same. > > > Agreed, but it doesn't seem like it creates too much more exposure than the > current Parametric SQL Views (except that it exposes multiple layers with > independent parameters).
Exposure is a matter of how you configure the regular expressions that do the validation. If you know the parameter is a number or a plain string you can make a strong regular expression that should prevent all attempts to inject sql. If you actually need to inject sql of your own it might be quite hard to avoid the malicious ones. >> In general it would be good to have everything consistent, so have >> this extension >> behave exactly like filters do (replicate if just one, apply one by >> one if the number >> of param groups match the number of layers, bomb out with an exception in >> case >> they don't match). >> > > Good point, the implementation that I included is lenient in that it allows > for any number of sets of parameters to be specified but should enforce 0,1 > or N where N is the number of layers. Yeah, at least we have to explain this behaviour only once in the guide. Consistency helps making the software easier to use. >> I did not get this one. The default behavior is to return just one >> feature unless >> you manually specify a different number (by spec). >> If there is any interaction with INFO_FORMAT that is a bug indeed. >> > > This may just be my misunderstanding. I was surprised that I got one > feature back when INFO_FORMAT was not specified, and multiple features when > it was specified. If this is what you see then there is a bug at work indeed. The parameter that controls how many features are returned from the GetFeatureInfo is called FEATURE_COUNT > I will separate out the matters that I discussed as best as I can and enter > them in JIRA. Cool, thanks! Cheers Andrea ----------------------------------------------------- Ing. Andrea Aime Senior Software Engineer GeoSolutions S.A.S. Via Poggio alle Viti 1187 55054 Massarosa (LU) Italy phone: +39 0584962313 fax: +39 0584962313 http://www.geo-solutions.it http://geo-solutions.blogspot.com/ http://www.linkedin.com/in/andreaaime http://twitter.com/geowolf ----------------------------------------------------- ------------------------------------------------------------------------------ Download new Adobe(R) Flash(R) Builder(TM) 4 The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly Flex(R) Builder(TM)) enable the development of rich applications that run across multiple browsers and platforms. Download your free trials today! http://p.sf.net/sfu/adobe-dev2dev _______________________________________________ Geoserver-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/geoserver-devel
