On 11-07-13 08:41 AM, Julien Cigar wrote:
OK.. I missed the "(must validate against DATAPATTERN)" part.
I added "SPID_validation_pattern" "^[0-9]+$" in my METADATA and it works !
However, it looks a little "hackish" to me .. I wondered if Mapserver
uses PQescapeStringConn() in background? In other words: is
_validation_pattern the only way to protect against SQL injection? What
it I allow a pattern that may take part in a SQL injection (like ', #,
..) ?
The %variable% replacement stuff does not attempt to do any kind of
escaping at the moment, so yes you are on your own with your validation
pattern.
--
Daniel Morissette
http://www.mapgears.com/
Provider of Professional MapServer Support since 2000
_______________________________________________
mapserver-users mailing list
[email protected]
http://lists.osgeo.org/mailman/listinfo/mapserver-users
