Blind SQL injection for Geoprocessing service using arcpy.da.SearchCursor

212
2
10-03-2018 06:02 AM
MaximeDemers
Occasional Contributor III

Hi,

I would like to know if a geoprocessing service that is using arcpy.da.SearchCursor can be subject to blind SQL injection if the where_clause parameter of the SearchCursor is one of the service parameter.

Is there a possibility that injecting SQL in the where_clause parameter can affect the integrity of the source table especially by using the SLEEP() command?

Thank you

Tags (1)
0 Kudos
2 Replies
JoshuaBixby
MVP Esteemed Contributor
MaximeDemers
Occasional Contributor III

Thank you for the link, that helps a lot.

I read:

Standardized queries are applied to the entire ArcGIS Server site; they cannot be enabled for some services and disabled for others.

So if it's turned on on the server, standardized queries are being used for the where_clause in a arcpy.da.SearchCursor in a Geoprocessing Service right?

That do not just applied to standardized queries of MapServices right?

0 Kudos