Community

How to prevent malicious/careless use of a QueryTask?

2575
4
07-26-2011 09:18 PM
StephenLead
by
Regular Contributor III
‎07-26-2011 09:18 PM
The samples using the Query and Find tasks carefully manage the query, for example using a point for the query.geometry, or only allowing a known field to be searched.

What are the best practices to avoid problems, when allowing the user to enter the query.where clause themselves?

For example, the user might enter 1=1 or OBJECTID > 1, resulting in the query timing out (especially if the query is returning the geometry).

One option could be to run QueryTask.executeForCount to ensure that no more than X features are returned - but even this requires the query to finish (or time out) before returning a count.

Thanks,
Steve
0 Kudos
4 Replies
derekswingley1
by
Frequent Contributor
‎07-27-2011 06:34 AM
I think using executeForCount is a good idea to handle this. But AGS tries to protect you from regularly overwhelming services by setting the default max number of results to 1000 (it was 500 at 9.3.1). Have you changed this setting?
0 Kudos
StephenLead
by
Regular Contributor III
‎07-27-2011 03:07 PM
AGS tries to protect you from regularly overwhelming services by setting the default max number of results to 1000


I guess I'm concerned about the possibility of someone trying SQL injection or similar, to try to overwhelm the server by running multiple large requests. Is preventing that beyond the scope of the JS API, and more in the realms of web security software?

Have you changed this setting?


No, but I'd be interested in knowing how to do so. In my case, more than about 20 results would be meaningless, so it would be great if I could have the server time-out as soon as this limit was reached.

Thanks,
Steve
0 Kudos
derekswingley1
by
Frequent Contributor
‎07-27-2011 07:41 PM
Yes, I'd say preventing SQL injection attacks is beyond the scope of the JS API. It's probably a better question for the REST API forum.

To change the max number of records returned by a service, edit the service's config file and change MaxRecordCount to the desired number. Here's the documentation for this:  http://help.arcgis.com/en/arcgisserver/10.0/help/arcgis_server_dotnet_help/index.html#//0093000000mr...
0 Kudos
nicogis
by MVP Frequent Contributor
MVP Frequent Contributor
‎07-28-2011 03:22 AM
In general if you want prevent sql injection you must check type of input: so in your case for example you use two input (condition < or = or >) and number.

In specific QueryTask is developed from esri so should prevent SQL injection attacks.

you can test it creating a service (use sql server and layer and add a table test) and from rest in directory service perform from query in where code like:

objectid>0;drop table dbo.test;

I think return 'Unable to perform query'

extra info SQL Injection: http://www.unixwiz.net/techtips/sql-injection.html
0 Kudos