Andrea Aime ha scritto: > [email protected] ha scritto: >> Some thoughts from my side. >> >> 1) Using a regexp to avoid sql injection is a nice idea. But I think >> most developers are not familiar with regexps and thus, the regexp >> mostly used will be ".*" opening the door for all kind of sql injection >> attacks. Why not use prepared (callable) statements ?. > > Because the user sponsoring this requires to change parts of the query, > not just values. So prepared statements are useless, there is no funding > for that approach. > If the PSC feels strongly against pure substitution + regexp (like > MapServer does)
Right, it may be interesting to show how MapServer handles the param substitution (it's really the same way I'm proposing): http://mapserver.org/cgi/runsub.html They use it for general substitution in the whole mapfile, which can also contain layers defined as queries (and so have the parameters be part of the query) Cheers Andrea -- Andrea Aime OpenGeo - http://opengeo.org Expert service straight from the developers. ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Geotools-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/geotools-devel
