You need to log in before you can comment on or make changes to this bug.
I have the following DATA statement in my MAP file: DATA "SELECT * FROM bis_his WHERE Opmerking LIKE 'C%'" But this results in Chameleon jsapi mode in a javascript error: Error: missing ; before statement Source File: http://localhost:8080/stragisweb/ Line: 613, Column: 62 Source Code: aLayerdata[21] = 'SELECT * FROM bis_his WHERE Opmerking LIKE 'C%'';
Ouch! Sounds scary to see that SQL statements are exposed to the JSAPI... even just exposing the DATA statement seems dangerous to me. I know it's possible to set DATA via the mapserv CGI and I'm not in favour of that either, but at least I thinkit's been made very restrictive to prevent security issues. I think I made that comment before but couldn't track the bug where I made it.
Daniel, I do agree with you that the DATA statements shouldn't be transferred to the client app. Previously also the CONNECTION was transferred if I recall correctly. I don't see any current use of DATA in the Chameleon code but I could be overseeing something. Paul is it actually used? Anyway, for the quick fix, adding an addslashes solves the problem: $szLayerInfo .="aLayerdata[".$i."] = '" . addslashes($poLayer->data) . "';\n"; Bart
Bart, I don't think DATA should be in the output. If you have a fix for this, please apply it to cvs.
I will take care of this today.
Okay, this required changes to: -cwcjsapi.widget.php -cwcjsapi.js I removed the DATA part. Fixed in both 2.0 and 2.2 2.2: revision 1.6 of cwcjsapi.widget.php; cwcjsapi.js: revision 1.66 2.0: revision 1.5.2.1 of cwcjsapi.widget.php; cwcjsapi.js: revision 1.64.2.1
