I'm making a GP tool for ArcGIS server to generate some standard reports with user input. I'm making a tool that allows for user input into a formatted query. I'd like to make sure I don't allow people to blow it up. As an example: parameter_1 = <USER INPUT> def query(parameter_1): query = "PIN = '{0}'".format(parameter_1) arcpy.management.MakeFeatureLayer(source_fc, 'test_layer', query) print query Usually the operation will go as this: parameter_1 = '110101010101' def query(parameter_1): query = "PIN = '{0}'".format(parameter_1) arcpy.management.MakeFeatureLayer(source_fc, 'test_layer', query) print query > ExecuteTool() PIN = '110101010101' Theoretically the user could parameter_1 = '110101010101; DROP TABLE pin' def query(parameter_1): query = "PIN = '{0}'".format(parameter_1) arcpy.management.MakeFeatureLayer(source_fc, 'test_layer', query) print query > ExecuteTool() ??????
... View more