AnsweredAssumed Answered

Sanitizing Input in Python-based Geoprocessing Service?

Question asked by jadams9 on Dec 22, 2017
Latest reply on Dec 22, 2017 by JQuinn-esristaff

I've created a geoprocessing service that creates new features using arcpy.SelectLayerByAttribute_management() with a where clause that is built using an attribute value provided by the user (through a Web AppBuildier geoprocessing widget) on a source SDE-based feature class and then dissolving (there may be multiple features selected) into an in_memory feature class that is appended to the target SDE-based feature class.

 

I know just enough about SQL injection attacks to know that they can be a Bad Thing (tm). Should I be sanitizing the user's input in the string from the GetParameterAsText() call myself, or does arcpy handle this automagically? In this application I (think I) can trust the users who would be entering data, but one drop table command from one attacker slipping in would be bad.

Outcomes