OK.. I missed the "(must validate against DATAPATTERN)" part.
I added "SPID_validation_pattern" "^[0-9]+$" in my METADATA and it works !However, it looks a little "hackish" to me .. I wondered if Mapserver uses PQescapeStringConn() in background? In other words: is _validation_pattern the only way to protect against SQL injection? What it I allow a pattern that may take part in a SQL injection (like ', #, ..) ?
Thanks, Julien On 07/13/2011 14:29, Julien Cigar wrote:
Hello, I have the following mapfile: http://www.pastie.org/2206896 with the following SLD: http://www.pastie.org/2206902 (generated dynamically) I wondered how can I change the WHERE sp.id=%SPID% in the subselect (following a CGI parameter)? I read http://mapserver.org/cgi/runsub.html, and tried with %SPID% (by passwing &SPID=3 in my URL) but it doesn't seems to work ... any idea? Thanks, Julien _______________________________________________ mapserver-users mailing list [email protected] http://lists.osgeo.org/mailman/listinfo/mapserver-users
-- No trees were killed in the creation of this message. However, many electrons were terribly inconvenienced.
<<attachment: jcigar.vcf>>
_______________________________________________ mapserver-users mailing list [email protected] http://lists.osgeo.org/mailman/listinfo/mapserver-users
