Lierals in filter encoding and validation to know if it is a text or not

[assefa]

Hi There,

There is a test in fe_filter.c (function fe_expression) where a test is done on the value to see if it is string or not and add quotes around it (^{[A-Za-z]). I had run into a problem a couple of weeks ago with values such as #FF0000 or /MyMap that did not validate this regex. Is it possible to modify a bit the regex to allow more elements to do be valid. Here is an expression that test if a value is a number} (\d*(\.{1}\d*)?)$ (in the C code it would be "^{(\\d*(\\.{1}\\d*)?)$". I have checked it through online regex validation tool (http://www.fileformat.info/tool/regex.htm) and it seems to validate numbers with or without decimal degrees. Maybe we could use that? Or any other for that matter that would allow me to add values stating with "weird" characters such a # and /}

[ol]

Assefa,

Yes we defintily could be less strict on this one.

Things to keep in mind:

• handle int and double (as not string)
• prevent SQL injection -> \ " ' exclude chars

Don't hesitate to apply patch

-- Olivier

[assefa]

Sorry for the delay on this one. I committed a 'partial' fix allowing to detect if a value passed is numeric (r134) I was not sure exactly what should be done to prevent any SQL injection or even if it has to be done only here . Here is an interesting read about this http://www.securityfocus.com/infocus/1768. Maybe we should close this bug and open a specific bug on the SQL injection?

[assefa]

closing this. Will open a specific enhancement bug for the SQL Injection issues.