Vishful thinking…

Exploring/Exploiting the query operation in the ArcGIS REST API

Posted in ArcGIS, ESRI, GIS by viswaug on July 9, 2009

I was starting to look harder at the query operation in the ArcGIS Server REST API today to figure if I can leverage it to get specific results I needed instead of building my own REST services. The scenario I was looking at was to be able to get the records corresponding to the minimum and the maximum values in a given field. To provide an example, let’s say you have a ‘States’ layer with a field called ‘POP2008’ that contains population numbers for the year 2008. In this case, I want to obtain the state records with the minimum and the maximum population for the year 2008. At the outset, there didn’t seem to be a way to do it. After spending some time investigating the possibilities with the REST API query operation, I found that the above was in fact possible. Assuming that the FeatureClass name of the ‘States’ layer is ‘States_DTL’, the query below will produce the desired results.

POP2008 = (SELECT MIN(POP2008) from States_DTL) OR POP2008 = (SELECT MAX(POP2008) from States_DTL)

I was surprised to find out that I was able to use the name of a FeatureClass in the query. Agreed, the user of the REST API will/might not know the name of the FeatureClass. But the user could get lucky and be able to guess the name of the FetaureClass after ‘n’ tries. The FeatureClass / Table being used doesn’t even need to be a part of the MapService. I am not yet sure about how far this behavior can be exploited. Nevertheless, I found that this behavior was a little more than interesting.

6 Responses

Subscribe to comments with RSS.

  1. bert said, on July 9, 2009 at 11:31 am

    Interesting, should something like this working? I got an error ‘Unable to perform query. Please check your parameters.’ Note: i’m guessing the ‘states’ name…

    http://sampleserver1.arcgisonline.com/ArcGIS/rest/services/Specialty/ESRI_StateCityHighway_USA/MapServer/1/query?POP1990%20=%20(SELECT%20MIN(POP1990)%20from%20states)

  2. viswaug said, on July 9, 2009 at 12:21 pm

    Hi bert,

    I don’t believe that ‘states’ is the name of the FeatureClass. I checked this on our servers where I know the name of the FeatureClasses present.

    But I believe that the above query should NOT work.I am not sure as to how far the above can be exploited, but certainly could be a very bad thing.

    Thank You,
    Vish

  3. bert said, on July 9, 2009 at 2:19 pm

    do you have a sample url that should work? I tried it on my server (where I know all the names) but wasn’t able to construct a working url.

    • viswaug said, on July 9, 2009 at 7:13 pm

      sent you a sample URL by mail.

      Vish

  4. James said, on July 9, 2009 at 6:22 pm

    The FeatureClass / Table being used doesn’t even need to be a part of the MapService

    So basically the query is just passing through to sql? Does that mean they could select all on any of the tables as long as they knew the name?

  5. Gregory said, on May 18, 2010 at 4:27 pm

    There is a strong argument here for securing these services.

    See: http://help.arcgis.com/en/arcgisserver/10.0/help/arcgis_server_dotnet_help/index.html#/Internet_security_overview/0093000000pp000000/


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: