https://community.esri.com/t5/python-questions/blind-sql-injection-for-geoprocessing-service/m-p/191997#M14781 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I would like to know if a geoprocessing service that is using arcpy.da.SearchCursor can be subject to <SPAN style="font-size: 11.0pt;">blind SQL injection</SPAN> if the where_clause parameter of the SearchCursor is one of the service parameter.</P><P></P><P>Is there a possibility that injecting SQL in the where_clause parameter can affect the integrity of the source table especially by using the SLEEP() command?</P><P></P><P>Thank you</P></BODY></HTML> Wed, 03 Oct 2018 13:02:13 GMT MaximeDemers 2018-10-03T13:02:13Z https://community.esri.com/t5/python-questions/blind-sql-injection-for-geoprocessing-service/m-p/191997#M14781 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I would like to know if a geoprocessing service that is using arcpy.da.SearchCursor can be subject to <SPAN style="font-size: 11.0pt;">blind SQL injection</SPAN> if the where_clause parameter of the SearchCursor is one of the service parameter.</P><P></P><P>Is there a possibility that injecting SQL in the where_clause parameter can affect the integrity of the source table especially by using the SLEEP() command?</P><P></P><P>Thank you</P></BODY></HTML> Wed, 03 Oct 2018 13:02:13 GMT https://community.esri.com/t5/python-questions/blind-sql-injection-for-geoprocessing-service/m-p/191997#M14781 MaximeDemers 2018-10-03T13:02:13Z https://community.esri.com/t5/python-questions/blind-sql-injection-for-geoprocessing-service/m-p/191998#M14782 <HTML><HEAD></HEAD><BODY><P>Have you read <A class="link-titled" href="http://enterprise.arcgis.com/en/server/latest/administer/windows/about-standardized-queries.htm" title="http://enterprise.arcgis.com/en/server/latest/administer/windows/about-standardized-queries.htm">About standardized queries—ArcGIS Server Administration (Windows) | ArcGIS Enterprise</A> ?</P></BODY></HTML> Wed, 03 Oct 2018 14:43:39 GMT https://community.esri.com/t5/python-questions/blind-sql-injection-for-geoprocessing-service/m-p/191998#M14782 JoshuaBixby 2018-10-03T14:43:39Z https://community.esri.com/t5/python-questions/blind-sql-injection-for-geoprocessing-service/m-p/191999#M14783 <HTML><HEAD></HEAD><BODY><P>Thank you for the link, that helps a lot.</P><P></P><P>I read:</P><BLOCKQUOTE class="jive_macro_quote jive-quote jive_text_macro"><P>Standardized queries are applied to the entire ArcGIS Server site; they cannot be enabled for some services and disabled for others.</P></BLOCKQUOTE><P>So if it's turned on on the server, standardized queries are being used for the where_clause in a arcpy.da.SearchCursor in a Geoprocessing Service right?</P><P></P><P>That do not just applied to standardized queries of MapServices right?</P></BODY></HTML> Wed, 03 Oct 2018 14:52:29 GMT https://community.esri.com/t5/python-questions/blind-sql-injection-for-geoprocessing-service/m-p/191999#M14783 MaximeDemers 2018-10-03T14:52:29Z