Sanitizing Input in Python-based Geoprocessing Service?

Karyn_Kerdolff · ‎12-22-2017

I've created a geoprocessing service that creates new features using arcpy.SelectLayerByAttribute_management() with a where clause that is built using an attribute value provided by the user (through a Web AppBuildier geoprocessing widget) on a source SDE-based feature class and then dissolving (there may be multiple features selected) into an in_memory feature class that is appended to the target SDE-based feature class.

I know just enough about SQL injection attacks to know that they can be a Bad Thing (tm). Should I be sanitizing the user's input in the string from the GetParameterAsText() call myself, or does arcpy handle this automagically? In this application I (think I) can trust the users who would be entering data, but one drop table command from one attacker slipping in would be bad.

DanPatterson_Retired · ‎12-22-2017

arcpy handles nothing magically, nor does python. Al getparameterastext does is makes a string out whatever it is given... if it can, so numbers get converted to text which means you have to convert them back... I prefer sys.argv when you don't want to mess around with objects being passed to scripts.

Some illustrative examples might help fine-tune your question and subsequent responses

JonathanQuinn · ‎12-22-2017

Another option could be moving the feature class from your SDE database into either in_memory or the scratchGDB and then do any processing against that feature class so you won't have to worry about that type of problem.