On 07/13/2011 15:07, Daniel Morissette wrote:
On 11-07-13 08:41 AM, Julien Cigar wrote:OK.. I missed the "(must validate against DATAPATTERN)" part.I added "SPID_validation_pattern" "^[0-9]+$" in my METADATA and it works ! However, it looks a little "hackish" to me .. I wondered if Mapserver uses PQescapeStringConn() in background? In other words: is _validation_pattern the only way to protect against SQL injection? What it I allow a pattern that may take part in a SQL injection (like ', #, ..) ?The %variable% replacement stuff does not attempt to do any kind of escaping at the moment, so yes you are on your own with your validation pattern.
This may be a stupid question but: is there a reason why PQescapeStringConn() is not used to do the substitution?
Thanks, Julien -- No trees were killed in the creation of this message. However, many electrons were terribly inconvenienced.
<<attachment: jcigar.vcf>>
_______________________________________________ mapserver-users mailing list [email protected] http://lists.osgeo.org/mailman/listinfo/mapserver-users
