John, I know that there are quite a few people using database backends to MapServer. I will let the developers comment on the extent of input validation and protection against SQL injection.
David. -----Original Message----- From: UMN MapServer Users List [mailto:[EMAIL PROTECTED] On Behalf Of John Cole Sent: Tuesday, April 10, 2007 2:53 PM To: [email protected] Subject: Re: [UMN_MAPSERVER-USERS] highlighting a feature in mode=map David, This works quite well, but I'm wondering if this kind of query opens a sql layer up to a sql injection attack? Are MapServer's expressions scrubbed for this possibility? Thanks, John John, I have done this when I want to highlight a particular county in the state. To do this, I need to know the ID (FIPS) for the poly. I create a URL variable that is passed to mapserv in the url and then use that variable in an expression in a class in the counties layer. If you can successfully use GID in an expression in your map file, you can do it this way. Here is an example LAYER: LAYER NAME basemap STATUS DEFAULT TYPE POLYGON DATA 'county' CLASSITEM "COUNTY_FIP" CLASS NAME "Low" EXPRESSION ('[COUNTY_FIP]' in '%group1%') OUTLINECOLOR 0 0 0 COLOR 255 204 204 END END -- View this message in context: http://www.nabble.com/highlighting-a-feature-in-mode%3Dmap-tf3553524.htm l#a9926997 Sent from the Mapserver - User mailing list archive at Nabble.com.
