← Back to branch summary

~ubuntu-branches/ubuntu/saucy/mapserver/saucy-security

« back to all changes in this revision

Viewing changes to debian/patches/wfs_sql_injection.patch

  • Committer: Package Import Robot
  • Author(s): Francesco Paolo Lovergine
  • Date: 2011-12-23 14:02:06 UTC
  • mfrom: (26.1.2 sid)
  • Revision ID: package-import@ubuntu.com-20111223140206-n3h9t2hsa8hyslmu
Tags: 6.0.1-2
Added missed stuff for libmapscript-perl.

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches/wfs_sql_injection.patch
1
 
Author: aboudreault@mapgears.com
2
 
Bug: http://trac.osgeo.org/mapserver/ticket/3874
3
 
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/mapserver/+bug/809133
4
 
Description: Fix possible WFS sql injection
5
 
 Note: updated to include http://trac.osgeo.org/mapserver/changeset/11914 and
6
 
 fix the warning introduced in msOGREscapeSQLParam -- sbeattie)
7
 
 
8
 
Index: mapserver-5.6.6/maplayer.c
9
 
===================================================================
10
 
--- mapserver-5.6.6.orig/maplayer.c     2011-09-09 09:43:52.000000000 -0500
11
 
+++ mapserver-5.6.6/maplayer.c  2011-09-09 09:44:02.000000000 -0500
12
 
@@ -1051,6 +1051,85 @@
13
 
   return MS_FAILURE;
14
 
 }
15
 
 
16
 
+/************************************************************************/
17
 
+/*                          LayerDefaultEscapeSQLParam                  */
18
 
+/*                                                                      */
19
 
+/*      Default function used to escape strings and avoid sql           */
20
 
+/*      injection. Specific drivers should redefine if an escaping      */
21
 
+/*      function is available in the driver.                            */
22
 
+/************************************************************************/
23
 
+char *LayerDefaultEscapeSQLParam(layerObj *layer, const char* pszString)
24
 
+{
25
 
+     char *pszEscapedStr=NULL;
26
 
+     if (pszString)
27
 
+     {
28
 
+         int nSrcLen;
29
 
+         char c;
30
 
+         int i=0, j=0;
31
 
+         nSrcLen = (int)strlen(pszString);
32
 
+         pszEscapedStr = (char*) malloc( 2 * nSrcLen + 1);
33
 
+         for(i = 0, j = 0; i < nSrcLen; i++)
34
 
+         {
35
 
+             c = pszString[i];
36
 
+             if (c == '\'')
37
 
+             {
38
 
+                 pszEscapedStr[j++] = '\'';
39
 
+                 pszEscapedStr[j++] = '\'';
40
 
+             }
41
 
+             else if (c == '\\')
42
 
+             {
43
 
+                 pszEscapedStr[j++] = '\\';
44
 
+                 pszEscapedStr[j++] = '\\';
45
 
+             }
46
 
+             else
47
 
+               pszEscapedStr[j++] = c;
48
 
+         }
49
 
+         pszEscapedStr[j] = 0;
50
 
+     }  
51
 
+     return pszEscapedStr;
52
 
+}
53
 
+
54
 
+/************************************************************************/
55
 
+/*                          LayerDefaultEscapePropertyName              */
56
 
+/*                                                                      */
57
 
+/*      Return the property name in a properly escaped and quoted form. */
58
 
+/************************************************************************/
59
 
+char *LayerDefaultEscapePropertyName(layerObj *layer, const char* pszString)
60
 
+{
61
 
+     char* pszEscapedStr=NULL;
62
 
+     int i, j = 0;   
63
 
+
64
 
+     if (layer && pszString && strlen(pszString) > 0)
65
 
+     {
66
 
+         int nLength = strlen(pszString);
67
 
+
68
 
+         pszEscapedStr = (char*) malloc( 1 + 2 * nLength + 1 + 1);
69
 
+         pszEscapedStr[j++] = '"';
70
 
+
71
 
+         for (i=0; i<nLength; i++)
72
 
+         {
73
 
+             char c = pszString[i];
74
 
+             if (c == '"')
75
 
+             {
76
 
+                 pszEscapedStr[j++] = '"';
77
 
+                 pszEscapedStr[j++] ='"';
78
 
+             }
79
 
+             else if (c == '\\')
80
 
+             {
81
 
+                 pszEscapedStr[j++] = '\\';
82
 
+                 pszEscapedStr[j++] = '\\';
83
 
+             }
84
 
+             else
85
 
+               pszEscapedStr[j++] = c;
86
 
+         }
87
 
+         pszEscapedStr[j++] = '"';
88
 
+         pszEscapedStr[j++] = 0;
89
 
+        
90
 
+     }
91
 
+     return pszEscapedStr;
92
 
+}
93
 
+
94
 
+
95
 
 /*
96
 
  * msConnectLayer
97
 
  *
98
 
@@ -1108,6 +1187,10 @@
99
 
     
100
 
   vtable->LayerGetNumFeatures = LayerDefaultGetNumFeatures;
101
 
 
102
 
+  vtable->LayerEscapeSQLParam = LayerDefaultEscapeSQLParam;
103
 
+
104
 
+  vtable->LayerEscapePropertyName = LayerDefaultEscapePropertyName;
105
 
+
106
 
   return MS_SUCCESS;
107
 
 }
108
 
 
109
 
@@ -1280,6 +1363,32 @@
110
 
     return i;
111
 
 }
112
 
 
113
 
+
114
 
+
115
 
+/*
116
 
+Returns an escaped string
117
 
+*/
118
 
+char  *msLayerEscapeSQLParam(layerObj *layer, const char*pszString) 
119
 
+{
120
 
+    if ( ! layer->vtable) {
121
 
+        int rv =  msInitializeVirtualTable(layer);
122
 
+        if (rv != MS_SUCCESS)
123
 
+            return "";
124
 
+    }
125
 
+    return layer->vtable->LayerEscapeSQLParam(layer, pszString);
126
 
+}
127
 
+
128
 
+char  *msLayerEscapePropertyName(layerObj *layer, const char*pszString) 
129
 
+{
130
 
+    if ( ! layer->vtable) {
131
 
+        int rv =  msInitializeVirtualTable(layer);
132
 
+        if (rv != MS_SUCCESS)
133
 
+            return "";
134
 
+    }
135
 
+    return layer->vtable->LayerEscapePropertyName(layer, pszString);
136
 
+}
137
 
+
138
 
+
139
 
 int
140
 
 msINLINELayerInitializeVirtualTable(layerObj *layer)
141
 
 {
142
 
@@ -1312,5 +1421,7 @@
143
 
     /* layer->vtable->LayerCreateItems, use default */
144
 
     layer->vtable->LayerGetNumFeatures = msINLINELayerGetNumFeatures;
145
 
 
146
 
+    /*layer->vtable->LayerEscapeSQLParam, use default*/
147
 
+    /*layer->vtable->LayerEscapePropertyName, use default*/
148
 
     return MS_SUCCESS;
149
 
 }
150
 
Index: mapserver-5.6.6/mapogcfilter.c
151
 
===================================================================
152
 
--- mapserver-5.6.6.orig/mapogcfilter.c 2011-09-09 09:43:52.000000000 -0500
153
 
+++ mapserver-5.6.6/mapogcfilter.c      2011-09-09 09:44:02.000000000 -0500
154
 
@@ -168,7 +168,7 @@
155
 
         if (tokens && nTokens == 2)
156
 
         {
157
 
             char szTmp[32];
158
 
-            sprintf(szTmp, "init=epsg:%s",tokens[1]);
159
 
+            snprintf(szTmp, sizeof(szTmp), "init=epsg:%s",tokens[1]);
160
 
             msInitProjection(psProj);
161
 
             if (msLoadProjectionString(psProj, szTmp) == 0)
162
 
               nStatus = MS_TRUE;
163
 
@@ -193,7 +193,7 @@
164
 
             if (nEpsgTmp > 0)
165
 
             {
166
 
                 char szTmp[32];
167
 
-                sprintf(szTmp, "init=epsg:%d",nEpsgTmp);
168
 
+                snprintf(szTmp, sizeof(szTmp), "init=epsg:%d",nEpsgTmp);
169
 
                 msInitProjection(psProj);
170
 
                 if (msLoadProjectionString(psProj, szTmp) == 0)
171
 
                   nStatus = MS_TRUE;
172
 
@@ -989,7 +989,7 @@
173
 
         if (tokens && nTokens == 2)
174
 
         {
175
 
             char szTmp[32];
176
 
-            sprintf(szTmp, "init=epsg:%s",tokens[1]);
177
 
+            snprintf(szTmp, sizeof(szTmp), "init=epsg:%s",tokens[1]);
178
 
             msInitProjection(&sProjTmp);
179
 
             if (msLoadProjectionString(&sProjTmp, szTmp) == 0)
180
 
               msProjectRect(&sProjTmp, &map->projection,  &sQueryRect);
181
 
@@ -1014,7 +1014,7 @@
182
 
             if (nEpsgTmp > 0)
183
 
             {
184
 
                 char szTmp[32];
185
 
-                sprintf(szTmp, "init=epsg:%d",nEpsgTmp);
186
 
+                snprintf(szTmp, sizeof(szTmp), "init=epsg:%d",nEpsgTmp);
187
 
                 msInitProjection(&sProjTmp);
188
 
                 if (msLoadProjectionString(&sProjTmp, szTmp) == 0)
189
 
                   msProjectRect(&sProjTmp, &map->projection,  &sQueryRect);
190
 
@@ -2780,9 +2780,9 @@
191
 
                               bString = 1;
192
 
                         }
193
 
                         if (bString)
194
 
-                          sprintf(szTmp, "('[%s]' = '%s')" , pszAttribute, tokens[i]);
195
 
+                          snprintf(szTmp, sizeof(szTmp), "('[%s]' = '%s')" , pszAttribute, tokens[i]);
196
 
                         else
197
 
-                           sprintf(szTmp, "([%s] = %s)" , pszAttribute, tokens[i]);
198
 
+                          snprintf(szTmp, sizeof(szTmp), "([%s] = %s)" , pszAttribute, tokens[i]);
199
 
 
200
 
                         if (pszExpression != NULL)
201
 
                           pszExpression = msStringConcatenate(pszExpression, " OR ");
202
 
@@ -2847,8 +2847,7 @@
203
 
                                 "PropertyIsLike") == 0)
204
 
             {
205
 
                  pszExpression = 
206
 
-                   FLTGetIsLikeComparisonSQLExpression(psFilterNode,
207
 
-                                                       connectiontype);
208
 
+                   FLTGetIsLikeComparisonSQLExpression(psFilterNode, lp);
209
 
             }
210
 
         }
211
 
     }
212
 
@@ -2885,6 +2884,7 @@
213
 
                 bString = 0;
214
 
                 if (tokens && nTokens > 0)
215
 
                 {
216
 
+                    char *pszEscapedStr = NULL;
217
 
                     for (i=0; i<nTokens; i++)
218
 
                     {
219
 
                         if (i == 0)
220
 
@@ -2893,10 +2893,14 @@
221
 
                             if (FLTIsNumeric(pszTmp) == MS_FALSE)    
222
 
                                bString = 1;
223
 
                         }
224
 
+                        pszEscapedStr = msLayerEscapeSQLParam(lp, tokens[i]);
225
 
                         if (bString)
226
 
-                          sprintf(szTmp, "(%s = '%s')" , pszAttribute, tokens[i]);
227
 
+                          snprintf(szTmp, sizeof(szTmp), "(%s = '%s')" , pszAttribute, pszEscapedStr);
228
 
                         else
229
 
-                           sprintf(szTmp, "(%s = %s)" , pszAttribute, tokens[i]);
230
 
+                          snprintf(szTmp, sizeof(szTmp), "(%s = %s)" , pszAttribute, pszEscapedStr);
231
 
+
232
 
+                        msFree(pszEscapedStr);
233
 
+                        pszEscapedStr=NULL;
234
 
 
235
 
                         if (pszExpression != NULL)
236
 
                           pszExpression = msStringConcatenate(pszExpression, " OR ");
237
 
@@ -3181,6 +3185,7 @@
238
 
 /************************************************************************/
239
 
 char *FLTGetBinaryComparisonExpresssion(FilterEncodingNode *psFilterNode, layerObj *lp)
240
 
 {
241
 
+    const size_t bufferSize = 1024;
242
 
     char szBuffer[1024];
243
 
     int bString=0;
244
 
     char szTmp[256];
245
 
@@ -3210,16 +3215,16 @@
246
 
       
247
 
 
248
 
     if (bString)
249
 
-      strcat(szBuffer, " (\"[");
250
 
+      strlcat(szBuffer, " (\"[", bufferSize);
251
 
     else
252
 
-      strcat(szBuffer, " ([");
253
 
+      strlcat(szBuffer, " ([", bufferSize);
254
 
     /* attribute */
255
 
 
256
 
-    strcat(szBuffer, psFilterNode->psLeftNode->pszValue);
257
 
+    strlcat(szBuffer, psFilterNode->psLeftNode->pszValue, bufferSize);
258
 
     if (bString)
259
 
-      strcat(szBuffer, "]\" ");
260
 
+      strlcat(szBuffer, "]\" ", bufferSize);
261
 
     else
262
 
-      strcat(szBuffer, "] "); 
263
 
+     strlcat(szBuffer, "] ", bufferSize);  
264
 
     
265
 
 
266
 
     /* logical operator */
267
 
@@ -3230,40 +3235,40 @@
268
 
         if (psFilterNode->psRightNode->pOther && 
269
 
             (*(int *)psFilterNode->psRightNode->pOther) == 1)
270
 
         {
271
 
-            strcat(szBuffer, "IEQ");
272
 
+            strlcat(szBuffer, "IEQ", bufferSize);
273
 
         }
274
 
         else
275
 
-          strcat(szBuffer, "=");
276
 
+          strlcat(szBuffer, "=",bufferSize);
277
 
     }
278
 
     else if (strcasecmp(psFilterNode->pszValue, 
279
 
                         "PropertyIsNotEqualTo") == 0)
280
 
-      strcat(szBuffer, "!="); 
281
 
+      strlcat(szBuffer, "!=", bufferSize); 
282
 
     else if (strcasecmp(psFilterNode->pszValue, 
283
 
                         "PropertyIsLessThan") == 0)
284
 
-      strcat(szBuffer, "<");
285
 
+      strlcat(szBuffer, "<", bufferSize);
286
 
     else if (strcasecmp(psFilterNode->pszValue, 
287
 
                         "PropertyIsGreaterThan") == 0)
288
 
-      strcat(szBuffer, ">");
289
 
+      strlcat(szBuffer, ">", bufferSize);
290
 
     else if (strcasecmp(psFilterNode->pszValue, 
291
 
                         "PropertyIsLessThanOrEqualTo") == 0)
292
 
-      strcat(szBuffer, "<=");
293
 
+      strlcat(szBuffer, "<=", bufferSize);
294
 
     else if (strcasecmp(psFilterNode->pszValue, 
295
 
                         "PropertyIsGreaterThanOrEqualTo") == 0)
296
 
-      strcat(szBuffer, ">=");
297
 
+      strlcat(szBuffer, ">=", bufferSize);
298
 
     
299
 
-    strcat(szBuffer, " ");
300
 
+    strlcat(szBuffer, " ", bufferSize);
301
 
     
302
 
     /* value */
303
 
     if (bString)
304
 
-      strcat(szBuffer, "\"");
305
 
+      strlcat(szBuffer, "\"", bufferSize);
306
 
     
307
 
     if (psFilterNode->psRightNode->pszValue)
308
 
-      strcat(szBuffer, psFilterNode->psRightNode->pszValue);
309
 
+      strlcat(szBuffer, psFilterNode->psRightNode->pszValue,bufferSize);
310
 
 
311
 
     if (bString)
312
 
-      strcat(szBuffer, "\"");
313
 
+      strlcat(szBuffer, "\"",bufferSize);
314
 
     
315
 
-    strcat(szBuffer, ") ");
316
 
+    strlcat(szBuffer, ") ",bufferSize);
317
 
 
318
 
     return strdup(szBuffer);
319
 
 }
320
 
@@ -3278,9 +3283,11 @@
321
 
 char *FLTGetBinaryComparisonSQLExpresssion(FilterEncodingNode *psFilterNode,
322
 
                                            layerObj *lp)
323
 
 {
324
 
+    const size_t bufferSize = 1024;
325
 
     char szBuffer[1024];
326
 
     int bString=0;
327
 
     char szTmp[256];
328
 
+    char* pszEscapedStr = NULL;
329
 
 
330
 
     szBuffer[0] = '\0';
331
 
     if (!psFilterNode || !
332
 
@@ -3309,7 +3316,9 @@
333
 
       
334
 
 
335
 
     /*opening bracket*/
336
 
-    strcat(szBuffer, " (");
337
 
+    strlcat(szBuffer, " (", bufferSize);
338
 
+
339
 
+    pszEscapedStr = msLayerEscapePropertyName(lp, psFilterNode->psLeftNode->pszValue);
340
 
 
341
 
     /* attribute */
342
 
     /*case insensitive set ? */
343
 
@@ -3319,35 +3328,37 @@
344
 
         psFilterNode->psRightNode->pOther && 
345
 
         (*(int *)psFilterNode->psRightNode->pOther) == 1)
346
 
     {
347
 
-        sprintf(szTmp, "lower(%s) ",  psFilterNode->psLeftNode->pszValue);
348
 
-        strcat(szBuffer, szTmp);
349
 
+        snprintf(szTmp, sizeof(szTmp), "lower(%s) ",  pszEscapedStr);
350
 
+        strlcat(szBuffer, szTmp, bufferSize);
351
 
     }
352
 
     else
353
 
-      strcat(szBuffer, psFilterNode->psLeftNode->pszValue);
354
 
+      strlcat(szBuffer, pszEscapedStr, bufferSize);
355
 
 
356
 
+    msFree(pszEscapedStr);
357
 
+    pszEscapedStr = NULL;
358
 
     
359
 
 
360
 
     /* logical operator */
361
 
-    if (strcasecmp(psFilterNode->pszValue, 
362
 
+   if (strcasecmp(psFilterNode->pszValue, 
363
 
                    "PropertyIsEqualTo") == 0)
364
 
-      strcat(szBuffer, "=");
365
 
+      strlcat(szBuffer, "=", bufferSize);
366
 
     else if (strcasecmp(psFilterNode->pszValue, 
367
 
                         "PropertyIsNotEqualTo") == 0)
368
 
-      strcat(szBuffer, "<>"); 
369
 
+      strlcat(szBuffer, "<>", bufferSize); 
370
 
     else if (strcasecmp(psFilterNode->pszValue, 
371
 
                         "PropertyIsLessThan") == 0)
372
 
-      strcat(szBuffer, "<");
373
 
+      strlcat(szBuffer, "<", bufferSize);
374
 
     else if (strcasecmp(psFilterNode->pszValue, 
375
 
                         "PropertyIsGreaterThan") == 0)
376
 
-      strcat(szBuffer, ">");
377
 
+      strlcat(szBuffer, ">", bufferSize);
378
 
     else if (strcasecmp(psFilterNode->pszValue, 
379
 
                         "PropertyIsLessThanOrEqualTo") == 0)
380
 
-      strcat(szBuffer, "<=");
381
 
+      strlcat(szBuffer, "<=", bufferSize);
382
 
     else if (strcasecmp(psFilterNode->pszValue, 
383
 
                         "PropertyIsGreaterThanOrEqualTo") == 0)
384
 
-      strcat(szBuffer, ">=");
385
 
+      strlcat(szBuffer, ">=", bufferSize);
386
 
     
387
 
-    strcat(szBuffer, " ");
388
 
+    strlcat(szBuffer, " ", bufferSize);
389
 
     
390
 
     /* value */
391
 
 
392
 
@@ -3358,23 +3369,33 @@
393
 
         psFilterNode->psRightNode->pOther && 
394
 
         (*(int *)psFilterNode->psRightNode->pOther) == 1)
395
 
     {
396
 
-        sprintf(szTmp, "lower('%s') ",  psFilterNode->psRightNode->pszValue);
397
 
-        strcat(szBuffer, szTmp);
398
 
+        snprintf(szTmp, sizeof(szTmp), "lower('%s') ",  psFilterNode->psRightNode->pszValue);
399
 
+        strlcat(szBuffer, szTmp, bufferSize);
400
 
     }
401
 
     else
402
 
     {
403
 
         if (bString)
404
 
-          strcat(szBuffer, "'");
405
 
+          strlcat(szBuffer, "'", bufferSize);
406
 
     
407
 
         if (psFilterNode->psRightNode->pszValue)
408
 
-          strcat(szBuffer, psFilterNode->psRightNode->pszValue);
409
 
+        {
410
 
+            if (bString)
411
 
+            {
412
 
+                char* pszEscapedStr;
413
 
+                pszEscapedStr = msLayerEscapeSQLParam(lp, psFilterNode->psRightNode->pszValue);
414
 
+                strlcat(szBuffer, pszEscapedStr, bufferSize);
415
 
+                msFree(pszEscapedStr);
416
 
+                pszEscapedStr=NULL;
417
 
+            }
418
 
+            else
419
 
+              strlcat(szBuffer, psFilterNode->psRightNode->pszValue, bufferSize);
420
 
+        }
421
 
 
422
 
         if (bString)
423
 
-          strcat(szBuffer, "'");
424
 
-
425
 
+          strlcat(szBuffer, "'", bufferSize);
426
 
     }
427
 
     /*closing bracket*/
428
 
-    strcat(szBuffer, ") ");
429
 
+    strlcat(szBuffer, ") ", bufferSize);
430
 
 
431
 
     return strdup(szBuffer);
432
 
 }
433
 
@@ -3388,12 +3409,13 @@
434
 
 char *FLTGetIsBetweenComparisonSQLExpresssion(FilterEncodingNode *psFilterNode,
435
 
                                               layerObj *lp)
436
 
 {
437
 
+    const size_t bufferSize = 1024;
438
 
     char szBuffer[1024];
439
 
     char **aszBounds = NULL;
440
 
     int nBounds = 0;
441
 
     int bString=0;
442
 
     char szTmp[256];
443
 
-
444
 
+    char* pszEscapedStr;
445
 
 
446
 
     szBuffer[0] = '\0';
447
 
     if (!psFilterNode ||
448
 
@@ -3437,32 +3459,46 @@
449
 
 /*      build expresssion.                                              */
450
 
 /* -------------------------------------------------------------------- */
451
 
     /*opening paranthesis */
452
 
-    strcat(szBuffer, " (");
453
 
+    strlcat(szBuffer, " (",bufferSize);
454
 
 
455
 
     /* attribute */
456
 
-    strcat(szBuffer, psFilterNode->psLeftNode->pszValue);
457
 
+    pszEscapedStr = msLayerEscapePropertyName(lp, psFilterNode->psLeftNode->pszValue);
458
 
+
459
 
+    strlcat(szBuffer, pszEscapedStr, bufferSize);
460
 
+    msFree(pszEscapedStr);
461
 
+    pszEscapedStr = NULL;
462
 
 
463
 
     /*between*/
464
 
-    strcat(szBuffer, " BETWEEN ");
465
 
+    strlcat(szBuffer, " BETWEEN ",bufferSize);
466
 
 
467
 
     /*bound 1*/
468
 
     if (bString)
469
 
-      strcat(szBuffer,"'");
470
 
-    strcat(szBuffer, aszBounds[0]);
471
 
+      strlcat(szBuffer,"'",bufferSize);
472
 
+
473
 
+    pszEscapedStr = msLayerEscapeSQLParam( lp, aszBounds[0]);
474
 
+    strlcat(szBuffer, pszEscapedStr, bufferSize);
475
 
+    msFree(pszEscapedStr);
476
 
+    pszEscapedStr=NULL;
477
 
+
478
 
     if (bString)
479
 
-      strcat(szBuffer,"'");
480
 
+      strlcat(szBuffer,"'",bufferSize);
481
 
 
482
 
-    strcat(szBuffer, " AND ");
483
 
+    strlcat(szBuffer, " AND ",bufferSize);
484
 
 
485
 
     /*bound 2*/
486
 
     if (bString)
487
 
-      strcat(szBuffer, "'");
488
 
-    strcat(szBuffer, aszBounds[1]);
489
 
+      strlcat(szBuffer, "'",bufferSize);
490
 
+
491
 
+    pszEscapedStr = msLayerEscapeSQLParam( lp, aszBounds[1]);
492
 
+    strlcat(szBuffer, pszEscapedStr, bufferSize);
493
 
+    msFree(pszEscapedStr);
494
 
+    pszEscapedStr=NULL;
495
 
+
496
 
     if (bString)
497
 
-      strcat(szBuffer,"'");
498
 
+      strlcat(szBuffer,"'",bufferSize);
499
 
 
500
 
     /*closing paranthesis*/
501
 
-    strcat(szBuffer, ")");
502
 
+    strlcat(szBuffer, ")",bufferSize);
503
 
      
504
 
     
505
 
     return strdup(szBuffer);
506
 
@@ -3476,6 +3512,7 @@
507
 
 char *FLTGetIsBetweenComparisonExpresssion(FilterEncodingNode *psFilterNode,
508
 
                                            layerObj *lp)
509
 
 {
510
 
+    const size_t bufferSize = 1024;
511
 
     char szBuffer[1024];
512
 
     char **aszBounds = NULL;
513
 
     int nBounds = 0;
514
 
@@ -3496,7 +3533,10 @@
515
 
 /* -------------------------------------------------------------------- */
516
 
     aszBounds = msStringSplit(psFilterNode->psRightNode->pszValue, ';', &nBounds);
517
 
     if (nBounds != 2)
518
 
+    {
519
 
+      msFreeCharArray(aszBounds, nBounds);
520
 
       return NULL;
521
 
+    }
522
 
 /* -------------------------------------------------------------------- */
523
 
 /*      check if the value is a numeric value or alphanumeric. If it    */
524
 
 /*      is alphanumeric, add quotes around attribute and values.        */
525
 
@@ -3525,50 +3565,51 @@
526
 
 /*      build expresssion.                                              */
527
 
 /* -------------------------------------------------------------------- */
528
 
     if (bString)
529
 
-      strcat(szBuffer, " (\"[");
530
 
+      strlcat(szBuffer, " (\"[", bufferSize);
531
 
     else
532
 
-      strcat(szBuffer, " ([");
533
 
+      strlcat(szBuffer, " ([", bufferSize);
534
 
 
535
 
     /* attribute */
536
 
-    strcat(szBuffer, psFilterNode->psLeftNode->pszValue);
537
 
+    strlcat(szBuffer, psFilterNode->psLeftNode->pszValue, bufferSize);
538
 
 
539
 
     if (bString)
540
 
-      strcat(szBuffer, "]\" ");
541
 
+      strlcat(szBuffer, "]\" ", bufferSize);
542
 
     else
543
 
-      strcat(szBuffer, "] ");
544
 
+      strlcat(szBuffer, "] ", bufferSize);
545
 
         
546
 
     
547
 
-    strcat(szBuffer, " >= ");
548
 
+    strlcat(szBuffer, " >= ", bufferSize);
549
 
     if (bString)
550
 
-      strcat(szBuffer,"\"");
551
 
-    strcat(szBuffer, aszBounds[0]);
552
 
+      strlcat(szBuffer,"\"", bufferSize);
553
 
+    strlcat(szBuffer, aszBounds[0], bufferSize);
554
 
     if (bString)
555
 
-      strcat(szBuffer,"\"");
556
 
+      strlcat(szBuffer,"\"", bufferSize);
557
 
 
558
 
-    strcat(szBuffer, " AND ");
559
 
+    strlcat(szBuffer, " AND ", bufferSize);
560
 
 
561
 
     if (bString)
562
 
-      strcat(szBuffer, " \"[");
563
 
+      strlcat(szBuffer, " \"[", bufferSize);
564
 
     else
565
 
-      strcat(szBuffer, " ["); 
566
 
+      strlcat(szBuffer, " [", bufferSize); 
567
 
 
568
 
     /* attribute */
569
 
-    strcat(szBuffer, psFilterNode->psLeftNode->pszValue);
570
 
+    strlcat(szBuffer, psFilterNode->psLeftNode->pszValue, bufferSize);
571
 
     
572
 
     if (bString)
573
 
-      strcat(szBuffer, "]\" ");
574
 
+      strlcat(szBuffer, "]\" ", bufferSize);
575
 
     else
576
 
-      strcat(szBuffer, "] ");
577
 
+      strlcat(szBuffer, "] ", bufferSize);
578
 
     
579
 
-    strcat(szBuffer, " <= ");
580
 
+    strlcat(szBuffer, " <= ", bufferSize);
581
 
     if (bString)
582
 
-      strcat(szBuffer,"\"");
583
 
-    strcat(szBuffer, aszBounds[1]);
584
 
+      strlcat(szBuffer,"\"", bufferSize);
585
 
+    strlcat(szBuffer, aszBounds[1], bufferSize);
586
 
     if (bString)
587
 
-      strcat(szBuffer,"\"");
588
 
-    strcat(szBuffer, ")");
589
 
-     
590
 
-    
591
 
+      strlcat(szBuffer,"\"", bufferSize);
592
 
+    strlcat(szBuffer, ")", bufferSize);
593
 
+
594
 
+    msFreeCharArray(aszBounds, nBounds);
595
 
+
596
 
     return strdup(szBuffer);
597
 
 }
598
 
     
599
 
@@ -3579,6 +3620,7 @@
600
 
 /************************************************************************/
601
 
 char *FLTGetIsLikeComparisonExpression(FilterEncodingNode *psFilterNode)
602
 
 {
603
 
+    const size_t bufferSize = 1024;
604
 
     char szBuffer[1024];
605
 
     char *pszValue = NULL;
606
 
     
607
 
@@ -3626,43 +3668,49 @@
608
 
     }
609
 
     for (i=0; i<nLength; i++)
610
 
     {
611
 
-        if (pszValue[i] != pszWild[0] && 
612
 
-            pszValue[i] != pszSingle[0] &&
613
 
-            pszValue[i] != pszEscape[0])
614
 
-        {
615
 
-            szBuffer[iBuffer] = pszValue[i];
616
 
-            iBuffer++;
617
 
-            szBuffer[iBuffer] = '\0';
618
 
-        }
619
 
-        else if  (pszValue[i] == pszSingle[0])
620
 
-        {
621
 
-             szBuffer[iBuffer] = '.';
622
 
-             iBuffer++;
623
 
-             szBuffer[iBuffer] = '\0';
624
 
-        }
625
 
-        else if  (pszValue[i] == pszEscape[0])
626
 
+        if (iBuffer < 1024)
627
 
         {
628
 
-            szBuffer[iBuffer] = '\\';
629
 
-            iBuffer++;
630
 
-            szBuffer[iBuffer] = '\0';
631
 
+            if (pszValue[i] != pszWild[0] && 
632
 
+                pszValue[i] != pszSingle[0] &&
633
 
+                pszValue[i] != pszEscape[0])
634
 
+            {
635
 
+                szBuffer[iBuffer] = pszValue[i];
636
 
+                iBuffer++;
637
 
+                szBuffer[iBuffer] = '\0';
638
 
+            }
639
 
+            else if  (pszValue[i] == pszSingle[0])
640
 
+            {
641
 
+                szBuffer[iBuffer] = '.';
642
 
+                iBuffer++;
643
 
+                szBuffer[iBuffer] = '\0';
644
 
+            }
645
 
+            else if  (pszValue[i] == pszEscape[0])
646
 
+            {
647
 
+                szBuffer[iBuffer] = '\\';
648
 
+                iBuffer++;
649
 
+                szBuffer[iBuffer] = '\0';
650
 
 
651
 
-        }
652
 
-        else if (pszValue[i] == pszWild[0])
653
 
-        {
654
 
-            /* strcat(szBuffer, "[0-9,a-z,A-Z,\\s]*"); */
655
 
-            /* iBuffer+=17; */
656
 
-            strcat(szBuffer, ".*");
657
 
-            iBuffer+=2;
658
 
-            szBuffer[iBuffer] = '\0';
659
 
+            }
660
 
+            else if (pszValue[i] == pszWild[0])
661
 
+            {
662
 
+                /* strcat(szBuffer, "[0-9,a-z,A-Z,\\s]*"); */
663
 
+                /* iBuffer+=17; */
664
 
+                strlcat(szBuffer, ".*",bufferSize);
665
 
+                iBuffer+=2;
666
 
+                szBuffer[iBuffer] = '\0';
667
 
+            }
668
 
         }
669
 
     }   
670
 
-    szBuffer[iBuffer] = '/';
671
 
-    if (bCaseInsensitive == 1)
672
 
+
673
 
+    if (iBuffer < 1024)
674
 
     {
675
 
-      szBuffer[++iBuffer] = 'i';
676
 
-    } 
677
 
-    szBuffer[++iBuffer] = '\0';
678
 
-    
679
 
+        szBuffer[iBuffer] = '/';
680
 
+        if (bCaseInsensitive == 1)
681
 
+        {
682
 
+            szBuffer[++iBuffer] = 'i';
683
 
+        } 
684
 
+        szBuffer[++iBuffer] = '\0';
685
 
+    }
686
 
         
687
 
     return strdup(szBuffer);
688
 
 }
689
 
@@ -3673,8 +3721,9 @@
690
 
 /*      Build an sql expression for IsLike filter.                      */
691
 
 /************************************************************************/
692
 
 char *FLTGetIsLikeComparisonSQLExpression(FilterEncodingNode *psFilterNode,
693
 
-                                          int connectiontype)
694
 
+                                           layerObj *lp)
695
 
 {
696
 
+    const size_t bufferSize = 1024;
697
 
     char szBuffer[1024];
698
 
     char *pszValue = NULL;
699
 
     
700
 
@@ -3683,9 +3732,11 @@
701
 
     char *pszEscape = NULL;
702
 
     char szTmp[4];
703
 
 
704
 
-    int nLength=0, i=0, iBuffer = 0;
705
 
+    int nLength=0, i=0, j=0;
706
 
     int  bCaseInsensitive = 0;
707
 
 
708
 
+    char *pszEscapedStr = NULL;
709
 
+
710
 
     if (!psFilterNode || !psFilterNode->pOther || !psFilterNode->psLeftNode ||
711
 
         !psFilterNode->psRightNode || !psFilterNode->psRightNode->pszValue)
712
 
       return NULL;
713
 
@@ -3704,60 +3755,80 @@
714
 
 
715
 
     szBuffer[0] = '\0';
716
 
     /*opening bracket*/
717
 
-    strcat(szBuffer, " (");
718
 
+    strlcat(szBuffer, " (", bufferSize);
719
 
 
720
 
     /* attribute name */
721
 
-    strcat(szBuffer, psFilterNode->psLeftNode->pszValue);
722
 
-    if (bCaseInsensitive == 1 && connectiontype == MS_POSTGIS)
723
 
-      strcat(szBuffer, " ilike '");
724
 
+    pszEscapedStr = msLayerEscapePropertyName(lp, psFilterNode->psLeftNode->pszValue);
725
 
+
726
 
+    strlcat(szBuffer, pszEscapedStr, bufferSize);
727
 
+    msFree(pszEscapedStr);
728
 
+    pszEscapedStr = NULL;
729
 
+
730
 
+
731
 
+    if (bCaseInsensitive == 1 && lp->connectiontype == MS_POSTGIS)
732
 
+      strlcat(szBuffer, " ilike '",bufferSize);
733
 
     else
734
 
-      strcat(szBuffer, " like '");
735
 
+      strlcat(szBuffer, " like '",bufferSize);
736
 
         
737
 
    
738
 
     pszValue = psFilterNode->psRightNode->pszValue;
739
 
     nLength = strlen(pszValue);
740
 
-    iBuffer = strlen(szBuffer);
741
 
+
742
 
+    pszEscapedStr = (char*) malloc( 3 * nLength + 1);
743
 
+
744
 
     for (i=0; i<nLength; i++)
745
 
     {
746
 
-        if (pszValue[i] != pszWild[0] && 
747
 
-            pszValue[i] != pszSingle[0] &&
748
 
-            pszValue[i] != pszEscape[0])
749
 
+        char c = pszValue[i];
750
 
+        if (c != pszWild[0] &&
751
 
+            c != pszSingle[0] &&
752
 
+            c != pszEscape[0])
753
 
         {
754
 
-            szBuffer[iBuffer] = pszValue[i];
755
 
-            iBuffer++;
756
 
-            szBuffer[iBuffer] = '\0';
757
 
+            if (c == '\'')
758
 
+            {
759
 
+                pszEscapedStr[j++] = '\'';
760
 
+                pszEscapedStr[j++] = '\'';
761
 
+            }
762
 
+            else if (c == '\\')
763
 
+            {
764
 
+                pszEscapedStr[j++] = '\\';
765
 
+                pszEscapedStr[j++] = '\\';
766
 
+            }
767
 
+            else
768
 
+                pszEscapedStr[j++] = c;
769
 
         }
770
 
-        else if  (pszValue[i] == pszSingle[0])
771
 
+        else if  (c == pszSingle[0])
772
 
         {
773
 
-             szBuffer[iBuffer] = '_';
774
 
-             iBuffer++;
775
 
-             szBuffer[iBuffer] = '\0';
776
 
+            pszEscapedStr[j++] = '_';
777
 
         }
778
 
-        else if  (pszValue[i] == pszEscape[0])
779
 
+        else if  (c == pszEscape[0])
780
 
         {
781
 
-            szBuffer[iBuffer] = pszEscape[0];
782
 
-            iBuffer++;
783
 
-            szBuffer[iBuffer] = '\0';
784
 
-            /*if (i<nLength-1)
785
 
+            pszEscapedStr[j++] = pszEscape[0];
786
 
+            if (i+1<nLength)
787
 
             {
788
 
-                szBuffer[iBuffer] = pszValue[i+1];
789
 
-                iBuffer++;
790
 
-                szBuffer[iBuffer] = '\0';
791
 
+                char nextC = pszValue[i+1];
792
 
+                i++;
793
 
+                if (nextC == '\'')
794
 
+                {
795
 
+                    pszEscapedStr[j++] = '\'';
796
 
+                    pszEscapedStr[j++] = '\'';
797
 
+                }
798
 
+                else
799
 
+                    pszEscapedStr[j++] = nextC;
800
 
             }
801
 
-            */
802
 
         }
803
 
-        else if (pszValue[i] == pszWild[0])
804
 
+        else if (c == pszWild[0])
805
 
         {
806
 
-            strcat(szBuffer, "%");
807
 
-            iBuffer++;
808
 
-            szBuffer[iBuffer] = '\0';
809
 
+            pszEscapedStr[j++] = '%';
810
 
         }
811
 
     } 
812
 
+    pszEscapedStr[j++] = 0;
813
 
+    strlcat(szBuffer, pszEscapedStr, bufferSize);
814
 
+    msFree(pszEscapedStr);
815
 
 
816
 
-    strcat(szBuffer, "'");
817
 
-    if (connectiontype != MS_OGR)
818
 
+    strlcat(szBuffer, "'",bufferSize);
819
 
+    if (lp->connectiontype != MS_OGR)
820
 
     {
821
 
-      strcat(szBuffer, " escape '");
822
 
+        strlcat(szBuffer, " escape '",bufferSize);
823
 
       szTmp[0] = pszEscape[0];
824
 
       if (pszEscape[0] == '\\')
825
 
       {
826
 
@@ -3771,9 +3842,9 @@
827
 
           szTmp[2] = '\0';
828
 
       }
829
 
 
830
 
-      strcat(szBuffer,  szTmp);
831
 
+      strlcat(szBuffer,  szTmp,bufferSize);
832
 
     }
833
 
-    strcat(szBuffer,  ") ");
834
 
+    strlcat(szBuffer,  ") ",bufferSize);
835
 
     
836
 
     return strdup(szBuffer);
837
 
 }
838
 
@@ -4084,7 +4155,7 @@
839
 
             {
840
 
                 if (!lp->items[i] || strlen(lp->items[i]) <= 0)
841
 
                     continue;
842
 
-                sprintf(szTmp, "%s_alias", lp->items[i]);
843
 
+                snprintf(szTmp, sizeof(szTmp), "%s_alias", lp->items[i]);
844
 
                 pszFullName = msOWSLookupMetadata(&(lp->metadata), namespaces, szTmp);
845
 
                 if (pszFullName)
846
 
                 {
847
 
Index: mapserver-5.6.6/mapogcfilter.h
848
 
===================================================================
849
 
--- mapserver-5.6.6.orig/mapogcfilter.h 2011-09-09 09:43:52.000000000 -0500
850
 
+++ mapserver-5.6.6/mapogcfilter.h      2011-09-09 09:44:02.000000000 -0500
851
 
@@ -113,8 +113,8 @@
852
 
 MS_DLL_EXPORT char *FLTGetSQLExpression(FilterEncodingNode *psFilterNode,layerObj *lp);
853
 
 MS_DLL_EXPORT char *FLTGetBinaryComparisonSQLExpresssion(FilterEncodingNode *psFilterNode, layerObj *lp);
854
 
 MS_DLL_EXPORT char *FLTGetIsBetweenComparisonSQLExpresssion(FilterEncodingNode *psFilterNode, layerObj *lp);
855
 
-MS_DLL_EXPORT char *FLTGetIsLikeComparisonSQLExpression(FilterEncodingNode *psFilterNode,
856
 
-                                       int connectiontype);
857
 
+MS_DLL_EXPORT char *FLTGetIsLikeComparisonSQLExpression(FilterEncodingNode *psFilterNode, layerObj *lp);
858
 
+
859
 
 MS_DLL_EXPORT char *FLTGetLogicalComparisonSQLExpresssion(FilterEncodingNode *psFilterNode,
860
 
                                             layerObj *lp);
861
 
 MS_DLL_EXPORT int FLTIsSimpleFilter(FilterEncodingNode *psFilterNode);
862
 
Index: mapserver-5.6.6/mapogcsos.c
863
 
===================================================================
864
 
--- mapserver-5.6.6.orig/mapogcsos.c    2011-09-09 09:43:52.000000000 -0500
865
 
+++ mapserver-5.6.6/mapogcsos.c 2011-09-09 09:44:02.000000000 -0500
866
 
@@ -1820,6 +1820,7 @@
867
 
   char *pszProcedureValue = NULL;
868
 
   int iItemPosition, status;
869
 
   shapeObj sShape;
870
 
+  char* pszEscapedStr = NULL;
871
 
 
872
 
   sBbox = map->extent;
873
 
 
874
 
@@ -2051,15 +2052,25 @@
875
 
               pszBuffer = msStringConcatenate(pszBuffer, "(");
876
 
                             
877
 
               if (!bSpatialDB)
878
 
-                pszBuffer = msStringConcatenate(pszBuffer, "'[");
879
 
-
880
 
-              pszBuffer = msStringConcatenate(pszBuffer, (char *)pszProcedureItem);
881
 
+              {
882
 
+                  pszBuffer = msStringConcatenate(pszBuffer, "'[");
883
 
+                  pszBuffer = msStringConcatenate(pszBuffer, (char *)pszProcedureItem);
884
 
+              }
885
 
+              else
886
 
+              {
887
 
+                  pszEscapedStr = msLayerEscapePropertyName(lp, (char *)pszProcedureItem);
888
 
+                  pszBuffer = msStringConcatenate(pszBuffer, pszEscapedStr);
889
 
+                  msFree(pszEscapedStr);
890
 
+                  pszEscapedStr = NULL;
891
 
+              }
892
 
 
893
 
               if (!bSpatialDB)
894
 
                 pszBuffer = msStringConcatenate(pszBuffer, "]'");
895
 
 
896
 
               pszBuffer = msStringConcatenate(pszBuffer, " = '");
897
 
-              pszBuffer = msStringConcatenate(pszBuffer,  tokens[j]);
898
 
+              pszEscapedStr = msLayerEscapeSQLParam(lp, tokens[j]);
899
 
+              pszBuffer = msStringConcatenate(pszBuffer,  pszEscapedStr);
900
 
+              msFree(pszEscapedStr);
901
 
               pszBuffer = msStringConcatenate(pszBuffer,  "')");
902
 
             }
903
 
                                 
904
 
Index: mapserver-5.6.6/mapogr.cpp
905
 
===================================================================
906
 
--- mapserver-5.6.6.orig/mapogr.cpp     2011-09-09 09:43:52.000000000 -0500
907
 
+++ mapserver-5.6.6/mapogr.cpp  2011-09-09 09:44:02.000000000 -0500
908
 
@@ -3465,6 +3465,66 @@
909
 
 }
910
 
 
911
 
 /************************************************************************/
912
 
+/*                           msOGREscapeSQLParam                        */
913
 
+/************************************************************************/
914
 
+char *msOGREscapeSQLParam(layerObj *layer, const char *pszString)
915
 
+{
916
 
+    char* pszEscapedStr =NULL;
917
 
+#ifdef USE_OGR
918
 
+    if(layer && pszString && strlen(pszString) > 0)
919
 
+    {
920
 
+        char* pszEscapedOGRStr =  CPLEscapeString(pszString, strlen(pszString),  
921
 
+                                                   CPLES_SQL ); 
922
 
+       pszEscapedStr = strdup(pszEscapedOGRStr);
923
 
+        CPLFree(pszEscapedOGRStr);
924
 
+    }
925
 
+    return pszEscapedStr; 
926
 
+#else
927
 
+/* ------------------------------------------------------------------
928
 
+ * OGR Support not included...
929
 
+ * ------------------------------------------------------------------ */
930
 
+
931
 
+  msSetError(MS_MISCERR, "OGR support is not available.", 
932
 
+             "msOGREscapeSQLParam()");
933
 
+  return NULL;
934
 
+
935
 
+#endif /* USE_OGR */  
936
 
+}
937
 
+
938
 
+
939
 
+/************************************************************************/
940
 
+/*                           msOGREscapeSQLParam                        */
941
 
+/************************************************************************/
942
 
+char *msOGREscapePropertyName(layerObj *layer, const char *pszString)
943
 
+{
944
 
+    char* pszEscapedStr =NULL;
945
 
+    int i =0;
946
 
+#ifdef USE_OGR
947
 
+    if(layer && pszString && strlen(pszString) > 0)
948
 
+    {
949
 
+        unsigned char ch;
950
 
+        for(i=0; (ch = ((unsigned char*)pszString)[i]) != '\0'; i++)
951
 
+        {
952
 
+            if ( !(isalnum(ch) || ch == '_' || ch > 127) )
953
 
+            {
954
 
+                return strdup("invalid_property_name");
955
 
+            }
956
 
+        }
957
 
+        pszEscapedStr = strdup(pszString);
958
 
+    }
959
 
+    return pszEscapedStr;
960
 
+#else
961
 
+/* ------------------------------------------------------------------
962
 
+ * OGR Support not included...
963
 
+ * ------------------------------------------------------------------ */
964
 
+
965
 
+  msSetError(MS_MISCERR, "OGR support is not available.", 
966
 
+             "msOGREscapePropertyName()");
967
 
+  return NULL;
968
 
+
969
 
+#endif /* USE_OGR */  
970
 
+}
971
 
+/************************************************************************/
972
 
 /*                  msOGRLayerInitializeVirtualTable()                  */
973
 
 /************************************************************************/
974
 
 int
975
 
@@ -3491,6 +3551,9 @@
976
 
     /* layer->vtable->LayerCreateItems, use default */
977
 
     /* layer->vtable->LayerGetNumFeatures, use default */
978
 
 
979
 
+    layer->vtable->LayerEscapeSQLParam = msOGREscapeSQLParam;
980
 
+    layer->vtable->LayerEscapePropertyName = msOGREscapePropertyName;
981
 
+
982
 
     return MS_SUCCESS;
983
 
 }
984
 
 
985
 
Index: mapserver-5.6.6/mappostgis.c
986
 
===================================================================
987
 
--- mapserver-5.6.6.orig/mappostgis.c   2011-09-09 09:43:53.000000000 -0500
988
 
+++ mapserver-5.6.6/mappostgis.c        2011-09-09 09:44:02.000000000 -0500
989
 
@@ -549,7 +549,7 @@
990
 
         return(MS_FAILURE);
991
 
     }
992
 
 
993
 
-    pgresult = PQexec(layerinfo->pgconn, sql);
994
 
+    pgresult = PQexecParams(layerinfo->pgconn, sql,0, NULL, NULL, NULL, NULL, 0);
995
 
     if ( !pgresult || PQresultStatus(pgresult) != PGRES_TUPLES_OK) {
996
 
         char *tmp1;
997
 
         char *tmp2 = NULL;
998
 
@@ -1774,7 +1774,7 @@
999
 
         msDebug("msPostGISLayerWhichShapes query: %s\n", strSQL);
1000
 
     }
1001
 
 
1002
 
-    pgresult = PQexec(layerinfo->pgconn, strSQL);
1003
 
+    pgresult = PQexecParams(layerinfo->pgconn, strSQL,0, NULL, NULL, NULL, NULL, 0);
1004
 
 
1005
 
     if ( layer->debug > 1 ) {
1006
 
         msDebug("msPostGISLayerWhichShapes query status: %s (%d)\n", PQresStatus(PQresultStatus(pgresult)), PQresultStatus(pgresult)); 
1007
 
@@ -1979,7 +1979,7 @@
1008
 
         msDebug("msPostGISLayerGetShape query: %s\n", strSQL);
1009
 
     }
1010
 
 
1011
 
-    pgresult = PQexec(layerinfo->pgconn, strSQL);
1012
 
+    pgresult = PQexecParams(layerinfo->pgconn, strSQL,0, NULL, NULL, NULL, NULL, 0);
1013
 
 
1014
 
     /* Something went wrong. */
1015
 
     if ( (!pgresult) || (PQresultStatus(pgresult) != PGRES_TUPLES_OK) ) {
1016
 
@@ -2073,7 +2073,7 @@
1017
 
         msDebug("msPostGISLayerGetItems executing SQL: %s\n", sql);
1018
 
     }
1019
 
 
1020
 
-    pgresult = PQexec(layerinfo->pgconn, sql);
1021
 
+    pgresult = PQexecParams(layerinfo->pgconn, sql,0, NULL, NULL, NULL, NULL, 0);
1022
 
     
1023
 
     if ( (!pgresult) || (PQresultStatus(pgresult) != PGRES_TUPLES_OK) ) {
1024
 
         msSetError(MS_QUERYERR, "Error (%s) executing SQL: %s", "msPostGISLayerGetItems()", PQerrorMessage(layerinfo->pgconn), sql);
1025
 
@@ -2538,6 +2538,42 @@
1026
 
     return MS_FALSE;
1027
 
 }
1028
 
 
1029
 
+
1030
 
+char *msPostGISEscapeSQLParam(layerObj *layer, const char *pszString)
1031
 
+{
1032
 
+#ifdef USE_POSTGIS
1033
 
+    msPostGISLayerInfo *layerinfo = NULL;
1034
 
+    int nError;
1035
 
+    size_t nSrcLen;
1036
 
+    char* pszEscapedStr =NULL;
1037
 
+
1038
 
+    if (layer && pszString && strlen(pszString) > 0)
1039
 
+    {
1040
 
+        if(!msPostGISLayerIsOpen(layer))
1041
 
+          msPostGISLayerOpen(layer);
1042
 
+    
1043
 
+        assert(layer->layerinfo != NULL);
1044
 
+
1045
 
+        layerinfo = (msPostGISLayerInfo *) layer->layerinfo;
1046
 
+        nSrcLen = strlen(pszString);
1047
 
+        pszEscapedStr = (char*) malloc( 2 * nSrcLen + 1);
1048
 
+        PQescapeStringConn (layerinfo->pgconn, pszEscapedStr, pszString, nSrcLen, &nError);
1049
 
+        if (nError != 0)
1050
 
+        {
1051
 
+            free(pszEscapedStr);
1052
 
+            pszEscapedStr = NULL;
1053
 
+        }
1054
 
+    }
1055
 
+    return pszEscapedStr;
1056
 
+#else
1057
 
+    msSetError( MS_MISCERR,
1058
 
+                "PostGIS support is not available.",
1059
 
+                "msPostGISEscapeSQLParam()");
1060
 
+    return NULL;
1061
 
+#endif
1062
 
+}
1063
 
+
1064
 
+
1065
 
 int msPostGISLayerInitializeVirtualTable(layerObj *layer) {
1066
 
     assert(layer != NULL);
1067
 
     assert(layer->vtable != NULL);
1068
 
@@ -2560,5 +2596,8 @@
1069
 
     /* layer->vtable->LayerCreateItems, use default */
1070
 
     /* layer->vtable->LayerGetNumFeatures, use default */
1071
 
 
1072
 
+#ifdef USE_POSTGIS
1073
 
+    layer->vtable->LayerEscapeSQLParam = msPostGISEscapeSQLParam;
1074
 
+#endif
1075
 
     return MS_SUCCESS;
1076
 
 }
1077
 
Index: mapserver-5.6.6/mapserver.h
1078
 
===================================================================
1079
 
--- mapserver-5.6.6.orig/mapserver.h    2011-09-09 09:43:53.000000000 -0500
1080
 
+++ mapserver-5.6.6/mapserver.h 2011-09-09 09:44:02.000000000 -0500
1081
 
@@ -1556,6 +1556,8 @@
1082
 
 
1083
 
     int (*LayerCreateItems)(layerObj *layer, int nt);
1084
 
     int (*LayerGetNumFeatures)(layerObj *layer);
1085
 
+    char* (*LayerEscapeSQLParam)(layerObj *layer, const char* pszString);
1086
 
+    char* (*LayerEscapePropertyName)(layerObj *layer, const char* pszString);
1087
 
 };
1088
 
 #endif /*SWIG*/
1089
 
 
1090
 
@@ -1955,6 +1957,9 @@
1091
 
 /* maplayer.c */
1092
 
 MS_DLL_EXPORT int msLayerGetNumFeatures(layerObj *layer);
1093
 
 
1094
 
+MS_DLL_EXPORT char *msLayerEscapeSQLParam(layerObj *layer, const char* pszString);
1095
 
+MS_DLL_EXPORT char *msLayerEscapePropertyName(layerObj *layer, const char* pszString);
1096
 
+
1097
 
 /* These are special because SWF is using these */
1098
 
 int msOGRLayerNextShape(layerObj *layer, shapeObj *shape);
1099
 
 int msOGRLayerGetItems(layerObj *layer);