Skip To Content

Enforce standardized SQL queries

ArcGIS Server includes a security option that forces developers to use standardized SQL queries when working with map, feature, image, and WFS services through REST or SOAP. This makes it easier for developers and applications to query ArcGIS Server services and helps prevent SQL injection attacks. Standardized queries are enforced by default but can be disabled by the server administrator.

Standardized queries

When standardized queries are enabled, ArcGIS Server checks for standard syntax and does not allow database-specific functions and syntax. If you're an application developer currently using database-specific functions and syntax, you must update the where clauses in your application's code to use common SQL syntax supported by ArcGIS. Alternatively, you can disable ArcGIS Server from checking for standardized queries.

Limitations of standardized queries

Standardized queries are applied to the entire ArcGIS Server site; they cannot be enabled for some services and disabled for others.

Standardized queries are not supported on joins between different workspaces. Additionally, database tables accessed through an OLE DB connection file are not supported. If your service data contains these sources, you must use alternative methods for referencing your data.

Subqueries as a where clause, for example, POP_2010 = (SELECT min(POP_2010)) FROM counties, are not supported.

Write a standardized query

The table at the end of this topic describes which SQL functions are supported in ArcGIS Server. You can use this table to help you understand which SQL functions can be used to generate standardized queries that can be used against map, feature, image, and WFS services in your applications.

Determine if standardized queries are being used by ArcGIS Server

As mentioned above, standardized queries are enabled by default and apply to all map, feature, image, and WFS services in the ArcGIS Server site. However, a server administrator can verify that standardized queries are being used by signing in to the ArcGIS Server Administrator Directory and browsing to system > properties > update. If no system property is displayed in the System Properties dialog box or {"standardizedQueries": "true"} is present, standardized queries are turned on.

Alternatively, administrators, application developers, and clients can verify that standardized queries are being used by accessing a service through the ArcGIS Server Services Directory and reviewing the Use Standardized Queries property. For map, feature, and WFS services, the property can be reviewed by accessing a specific layer or table in the service, for example, https://gisserver.domain.com:6443/arcgis/rest/services/folder/service/service type/0. For image services, the property is available at the service endpoint, for example, https://gisserver.domain.com:6443/arcgis/rest/services/folder/service/ImageServer.

For instructions on how to access the Administrator Directory or to learn how to disable standardized queries, see the next section of this topic.

Disable standardized queries

If you need to use database-specific where clause statements in your application, you can disable standardized queries by accessing the ArcGIS Server Administrator Directory. To do so, follow the instructions below.

Caution:

By disabling this security option, your site becomes more vulnerable to SQL injection attacks.

Note:

Disabling standardized queries is not supported for hosted feature services in ArcGIS Enterprise.

  1. Open the Administrator Directory and sign in with a user that has administrative permissions to your site.

    The Administrator Directory is typically available at https://gisserver.domain.com:6443/arcgis/admin.

  2. Click system > properties > update.
  3. On the Operation - update page, enter the following string into the System Properties dialog box:

    {"standardizedQueries": "false"}

  4. Click Update.
  5. Restart ArcGIS Server.

Your site is now configured to allow users to send requests to map, feature, image, and WFS services using nonstandardized queries. To reenable standardized queries, repeat the above instructions but set the standardizedQueries property to true.

Supported SQL functions in ArcGIS Server

The following list shows which SQL functions are supported by ArcGIS Server and the syntax for each. When the following functions and syntax are used in your applications, ArcGIS Server converts them to conform to the specification of the database used by the service.

These functions apply to ArcGIS Server web services, not hosted web layers.

Function typeFunctionDescriptionExampleNotes

Date

CURRENT_DATE

Returns the current date in the session time zone.

Datefield < CURRENT_DATE

Only the following date and timestamp syntax is supported:

date 'yyyy-mm-dd', for example, Datefield = date '2012-05-29'

timestamp 'yyyy-mm-dd hh:mm:ss', for example, Datefield = timestamp '2012-05-29 15:14:25'

CURRENT_TIMESTAMP

Returns the current local time.

Timestampfield < CURRENT_TIMESTAMP

EXTRACT(extract_field FROM extract_source)

Returns a single part of the date/time, such as year, month, day, hour, minute, and so on.

The extract_field argument can be one of the following keywords: YEAR, MONTH, DAY, HOUR, MINUTE, or SECOND.

Search all rows from the month of November:

EXTRACT(MONTH FROM Datefield) = 11

Math

ABS(numeric_exp)

Returns the absolute (positive) value of the specified numeric expression.

CEILING(numeric_exp)

Returns the smallest integer greater than, or equal to, the specified numeric expression.

FLOOR(numeric_exp)

Returns the largest integer less than or equal to the specified numeric expression.

LOG(float_exp)

Returns the natural logarithm of the specified float expression.

LOG10(float_exp)

Returns the base-10 logarithm of the specified float expression.

POWER(numeric_exp, integer_exp)

Returns the value of the specified expression to the specified power.

POWER(Numericfield, 2) = 16

ROUND(numeric_exp, integer_exp)

Returns a numeric value, rounded to the specified length or precision.

TRUNCATE(numeric_exp, integer_exp)

Returns a numeric value without rounding the value to a specific length or precision.

String

CHAR_LENGTH(string_exp)

Returns the length in characters of the input string.

CONCAT(string_exp1, string_exp2)

Returns a string that is the result of concatenating two or more string values.

LOWER(string_exp)

Returns a character expression after converting uppercase character data to lowercase.

SUBSTRING(string_exp FROM start FOR length)

Returns part of a character or text expression.

Search all rows where the first two characters from values in Stringfield are Ch:

SUBSTRING(Stringfield FROM 1 FOR 2)='Ch'

UPPER(string_exp)

Returns a character expression with lowercase character data converted to uppercase.