Select to view content in your preferred language

Sanitizing Input in Python-based Geoprocessing Service?

575
2
12-22-2017 09:41 AM
Karyn_Kerdolff
Regular Contributor

I've created a geoprocessing service that creates new features using arcpy.SelectLayerByAttribute_management() with a where clause that is built using an attribute value provided by the user (through a Web AppBuildier geoprocessing widget) on a source SDE-based feature class and then dissolving (there may be multiple features selected) into an in_memory feature class that is appended to the target SDE-based feature class.

I know just enough about SQL injection attacks to know that they can be a Bad Thing (tm). Should I be sanitizing the user's input in the string from the GetParameterAsText() call myself, or does arcpy handle this automagically? In this application I (think I) can trust the users who would be entering data, but one drop table command from one attacker slipping in would be bad.

0 Kudos
2 Replies
DanPatterson_Retired
MVP Emeritus

arcpy handles nothing magically, nor does python.  Al getparameterastext does is makes a string out whatever it is given... if it can, so numbers get converted to text which means you have to convert them back... I prefer sys.argv when you don't want to mess around with objects being passed to scripts.  

Some illustrative examples might help fine-tune your question and subsequent responses

JonathanQuinn
Esri Notable Contributor

Another option could be moving the feature class from your SDE database into either in_memory or the scratchGDB and then do any processing against that feature class so you won't have to worry about that type of problem.