Of course, part of security is also having your application hit your database
as a user that only has the rights that it needs. If your user only has select
rights on only the data that you want to expose, that should help limit some of
these issues.
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of [email protected]
Sent: Monday, January 26, 2009 4:43 AM
To: MapServer
Subject: Re: [mapserver-users] Dynamin SQL with mapserver CGI?
> Not any great hazard, I believe, ...
Mmh. I'd be cautious.
Example:
* Mapfile:
DATA "the_geom from buildings"
* Set Filter via URL to this:
1=1);DELETE FROM OTHERTABLE; DECLARE X BINARY CURSOR FOR SELECT *
from buildings WHERE (1=1
I think Mapserver will create the following statements: (I've added
newlines)
DECLARE mycursor BINARY CURSOR FOR SELECT the_geom from buildings WHERE
(1=1);
DELETE FROM OTHERTABLE;
DECLARE X BINARY CURSOR FOR SELECT * from buildings WHERE (1=1) and (%s
&& setSRID( ...) )
Mapserver calls PQExec with these statements. PQExec will execute every
statement and will return
the results of the last one.
Bye
Benedikt Rothe
"Rahkonen Jukka" <[email protected]> schrieb am 26.01.2009
09:34:31:
> Hi,
>
> Not any great hazard, I believe, if it means that user can normally
> get all the features, but only a subset when filter is set. It is
> different case if DATA clause is manipulated, and therefore that
> must be connected to DATAPATTERN.
>
> -Jukka Rahkonen-
>
> Lähettäjä: [email protected] [mailto:
> [email protected]] Puolesta [email protected]
> Lähetetty: 26. tammikuuta 2009 10:03
> Vastaanottaja: MapServer
> Aihe: Re: [mapserver-users] Dynamin SQL with mapserver CGI?
>
> Hi
>
> > You can use a replaceable parameter in the FILTER clause if all you
...
> This introduces the hazard of SQL-Injection, doesn't it?
>
> Bye
> Benedikt Rothe
>
> [email protected] schrieb am 24.01.2009
14:04:42:
>
> > On Sat, Jan 24, 2009 at 3:18 AM, Saka Royban <[email protected]>
wrote:
> > > Hi all
> > > I'm looking for a way to change SQL dynamically via URL
parameters. it
> > > sounds from doc that changing DATA element in map file is
impossible. Is
> > > there any other way?
> >
> > You can use a replaceable parameter in the FILTER clause if all you
> > want to do is alter the WHERE clause. So for example:
> > FILTER "%criteria%"
> > and
> > criteria=id='value'
> > would work with a database like Postgres.
> >
> > When working with a database you put the whole SQL WHERE clause in
the
> > FILTER, whereas with shapefiles or ORG data sources you use the
> > FILTERITEM and FILTER.
> >
> > --
> > Richard Greenwood
> > [email protected]
> > www.greenwoodmap.com
> > _______________________________________________
> > mapserver-users mailing list
> > [email protected]
> > http://lists.osgeo.org/mailman/listinfo/mapserver-users
_______________________________________________
mapserver-users mailing list
[email protected]
http://lists.osgeo.org/mailman/listinfo/mapserver-users
