I'm using geoserver's functionality for dynamic postgresql queries. I have a query with a fully dynamic where clause. For example, you don't even know the exact number of geometric features, or relationships between them that you have to select from the database.
what's the best way to ensure an sql injection attack cannot be made?
Currently, there's a query of the form Select * from foo f,foo f2 %where%
and the where parameters is using many postgis functions and a combination of f,f2 and other geometric entries.