Re: [Geoserver-users] SQL View, parameters and PostGIS timestamp

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Mon, May 28, 2012 at 9:47 PM, Willem Buitendyk <wi...@pc...> wrote:
> I'm trying to pass a parameterized sql view to access data in my postgis db
> on geoserver.  I've set up the layer as such which works fine with the
> default parameters:
>
> select * from data_dump where datetime >= %datestart% and datetime <
> %dateend%
>
> When I try to access the data via the following url I get the following
> error:
>
> http://someplace.ca:8080/geoserver/data_space/wms?service=WMS&version=1.1.0&request=GetMap&layers=data_space:dump_query&styles=&bbox=-130.47541809082,48.3431854248047,-123.18302154541,55.0495872497559&width=512&height=470&srs=EPSG:4030&format=application/openlayers&viewparams=datestart:'2012-01-01';dateend:'2012-01-05'
>
> Error:
>
> Internal error occurred java.io.IOException null Invalid value for parameter
> datestart

You're hitting the default validation regular expression, which disallows ' as
they are commonly used to perform a sql injection attack:

http://docs.geoserver.org/latest/en/user/data/sqlview.html
http://en.wikipedia.org/wiki/SQL_injection

Given how simple the filter is you'd be better off (safer) using CQL filters.
But if you really want, you can also just remove the ' exclusion from
the validator (at your own risk, at least make sure the user for the connection
pool cannot do writes on the database or random people will be able
to start dropping tables out of your dbms).

Cheers
Andrea

-- 
Ing. Andrea Aime
GeoSolutions S.A.S.
Tech lead

Via Poggio alle Viti 1187
55054  Massarosa (LU)
Italy

phone: +39 0584 962313
fax:      +39 0584 962313
mob:    +39 339 8844549

http://www.geo-solutions.it
http://geo-solutions.blogspot.com/
http://www.youtube.com/user/GeoSolutionsIT
http://www.linkedin.com/in/andreaaime
http://twitter.com/geowolf