Skip To Content

About standardized queries

ArcGIS Server includes a security option that forces developers to use standardized SQL queries when working with map, feature, image, and WFS services through REST or SOAP. This makes it easier for developers and applications to query ArcGIS Server services and helps prevent SQL injection attacks. Standardized queries are enforced by default, but can be disabled by the server administrator.

How do standardized queries affect me?

When standardized queries are enabled, ArcGIS checks for standard syntax, and does not allow database-specific functions and syntax. If you're an application developer that is currently using database-specific functions and syntax, you'll need to update the where clauses in your application's code to use common SQL syntax supported by ArcGIS. Alternatively, you can disable ArcGIS Server from checking for standardized queries.

Limitations of standardized queries

Standardized queries are applied to the entire ArcGIS Server site; they cannot be enabled for some services and disabled for others.

Standardized queries are not supported on joins between different workspaces. Additionally, database tables accessed through an OLE DB connection file are not supported. If your service data contains these sources, you'll need to use alternative methods for referencing your data.

Subqueries as a where clause, for example, POP_2010 = (SELECT min(POP_2010) FROM counties are not supported.

How do I write a standardized query?

The following topic describes which SQL functions are supported in ArcGIS Server:

Supported SQL functions in ArcGIS Server

You can use this document to help you understand which SQL functions can be used to generate standardized queries that can be used against map, feature, image, and WFS services in your applications.

How do I know if standardized queries are being used by ArcGIS Server?

As mentioned above, standardized queries are enabled by default and apply to all map, feature, image, and WFS services in the ArcGIS Server site. However, a server administrator can verify that standardized queries are being used by logging in to the ArcGIS Server Administrator Directory and navigating to system > properties > update. If no system property is displayed in the System Properties dialog box or {"standardizedQueries": "true"} is present, then standardized queries are turned on.

Alternatively, administrators, application developers, and clients can verify that standardized queries are being used by accessing a service through the ArcGIS Server Services Directory and reviewing the Use Standardized Queries property. For map, feature, and WFS services, the property can be reviewed by accessing a specific layer or table in the service, for example, http://gisserver.domain.com:6080/arcgis/rest/services/folder/service/service type/0. For image services, the property is available at the service endpoint, for example, http://gisserver.domain.com:6080/arcgis/rest/services/folder/service/ImageServer.

For instructions on how to access the Administrator Directory or to learn how to disable standardized queries, see the next section of this topic.

Disabling standardized queries

If you need to use database-specific where clause statements in your application, you can disable standardized queries by accessing the ArcGIS Server Administrator Directory. To do so, follow the instructions below.

Caution:

By disabling this security option, your site becomes more vulnerable to SQL injection attacks.

  1. Open the Administrator Directory and log in with a user that has administrative permissions to your site. The Administrator Directory is typically available at http://gisserver.domain.com:6080/arcgis/admin.
  2. Click system > properties > update.
  3. On the Operation - update page, enter the following string into the System Properties dialog box:

    {"standardizedQueries": "false"}

  4. Click Update.
  5. Restart ArcGIS Server.

Your site is now configured to allow users to send requests to map, feature, image, and WFS services using nonstandardized queries. To reenable standardized queries, repeat the above instructions but set the standardizedQueries property to true.