AnsweredAssumed Answered

Do the SelectLayerByAttribute or MakeFeatureLayer tools have any sort of internal checking for SQL Injection?

Question asked by christopherfricke on Feb 9, 2015
Latest reply on Feb 9, 2015 by bixb0012

I'm making a GP tool for ArcGIS server to generate some standard reports with user input. I'm making a tool that allows for user input into a formatted query. I'd like to make sure I don't allow people to blow it up.

 

 

As an example:

 

parameter_1 = <USER INPUT>

 

def query(parameter_1):

query = "PIN = '{0}'".format(parameter_1)

arcpy.management.MakeFeatureLayer(source_fc, 'test_layer', query)

print query

 

Usually the operation will go as this:

 

parameter_1 = '110101010101'

 

 

def query(parameter_1):

query = "PIN = '{0}'".format(parameter_1)

arcpy.management.MakeFeatureLayer(source_fc, 'test_layer', query)

print query

 

> ExecuteTool()

 

PIN = '110101010101'

 

Theoretically the user could

 

parameter_1 = '110101010101; DROP TABLE pin'

 

 

 

def query(parameter_1):

query = "PIN = '{0}'".format(parameter_1)

arcpy.management.MakeFeatureLayer(source_fc, 'test_layer', query)

print query

 

 

> ExecuteTool()

 

 

??????

Outcomes