Andrea Aime ha scritto: > Andrea Aime ha scritto: >> [email protected] ha scritto: >>> Some thoughts from my side. >>> >>> 1) Using a regexp to avoid sql injection is a nice idea. But I think >>> most developers are not familiar with regexps and thus, the regexp >>> mostly used will be ".*" opening the door for all kind of sql injection >>> attacks. Why not use prepared (callable) statements ?. >> Because the user sponsoring this requires to change parts of the query, >> not just values. So prepared statements are useless, there is no funding >> for that approach. >> If the PSC feels strongly against pure substitution + regexp (like >> MapServer does) > > Right, it may be interesting to show how MapServer handles the param > substitution (it's really the same way I'm proposing): > http://mapserver.org/cgi/runsub.html
Btw, I'm wondering if we can find a middle ground about this by prividing a set of pre-cooked regular expression to match a string content, a number and so on so that one does not need to be a regexp wizard to setup proper protection. This would still leave the option to whoever has the need to pass down real parts of sql statements to do so (and assume the risk of doing so, which might not be high if you're the app developer at the geootols level or if a web app like GeoServer is just used as a map making tool for front end tools that have full control of how the map requests are made) Cheers Andrea -- Andrea Aime OpenGeo - http://opengeo.org Expert service straight from the developers. ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Geotools-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/geotools-devel
