ArcGIS Server includes a security option that forces developers to use standardized SQL queries when working with map, feature, image, and WFS services through REST or SOAP. This makes it easier for developers and applications to query ArcGIS Server services and helps prevent SQL injection attacks. Standardized queries are enforced by default, but can be disabled by the server administrator.
About standardized queries
When standardized queries are enabled, ArcGIS Server checks for standard syntax, and does not allow database-specific functions and syntax. If you're an application developer currently using database-specific functions and syntax, you'll need to update the where clauses in your application's code to use common SQL syntax supported by ArcGIS. Alternatively, you can disable ArcGIS Server from checking for standardized queries.
Limitations of standardized queries
Standardized queries are applied to the entire ArcGIS Server site; they cannot be enabled for some services and disabled for others.
Standardized queries are not supported on joins between different workspaces. Additionally, database tables accessed through an OLE DB connection file are not supported. If your service data contains these sources, you'll need to use alternative methods for referencing your data.
Subqueries as a where clause, for example, POP_2010 = (SELECT min(POP_2010) FROM counties, are not supported.
How do I write a standardized query?
The table at the end of this topic describes which SQL functions are supported in ArcGIS Server. You can use this table to help you understand which SQL functions can be used to generate standardized queries that can be used against map, feature, image, and WFS services in your applications.
How do I know if standardized queries are being used by ArcGIS Server?
As mentioned above, standardized queries are enabled by default and apply to all map, feature, image, and WFS services in the ArcGIS Server site. However, a server administrator can verify that standardized queries are being used by logging in to the ArcGIS Server Administrator Directory and browsing to system > properties > update. If no system property is displayed in the System Properties dialog box or {"standardizedQueries": "true"} is present, standardized queries are turned on.
Alternatively, administrators, application developers, and clients can verify that standardized queries are being used by accessing a service through the ArcGIS Server Services Directory and reviewing the Use Standardized Queries property. For map, feature, and WFS services, the property can be reviewed by accessing a specific layer or table in the service, for example, https://gisserver.domain.com:6443/arcgis/rest/services/folder/service/service type/0. For image services, the property is available at the service endpoint, for example, https://gisserver.domain.com:6443/arcgis/rest/services/folder/service/ImageServer.
For instructions on how to access the Administrator Directory or to learn how to disable standardized queries, see the next section of this topic.
Disable standardized queries
If you need to use database-specific where clause statements in your application, you can disable standardized queries by accessing the ArcGIS Server Administrator Directory. To do so, follow the instructions below.
Caution:
By disabling this security option, your site becomes more vulnerable to SQL injection attacks.
Note:
Disabling standardized queries is not supported for hosted feature services in ArcGIS Enterprise.
- Open the Administrator Directory and log in with a user that has administrative permissions to your site. The Administrator Directory is typically available at https://gisserver.domain.com:6443/arcgis/admin.
- Click system > properties > update.
- On the Operation - update page, enter the following string into the System Properties dialog box:
{"standardizedQueries": "false"}
- Click Update.
- Restart ArcGIS Server.
Your site is now configured to allow users to send requests to map, feature, image, and WFS services using nonstandardized queries. To reenable standardized queries, repeat the above instructions but set the standardizedQueries property to true.
Supported SQL functions in ArcGIS Server
The following list shows which SQL functions are supported by ArcGIS Server and the syntax for each. When the following functions and syntax are used in your applications, ArcGIS Server converts them to conform to the specification of the database used by the service.
These functions apply to ArcGIS Server web services, not hosted web layers.
Function type | Function | Description | Example | Notes |
---|---|---|---|---|
Date | CURRENT_DATE | Returns the current date in the session time zone. | Datefield < CURRENT_DATE | Only the following date and timestamp syntax is supported: date 'yyyy-mm-dd', for example, Datefield = date '2012-05-29' timestamp 'yyyy-mm-dd hh:mm:ss', for example, Datefield = timestamp '2012-05-29 15:14:25' |
CURRENT_TIMESTAMP | Returns the current local time. | Timestampfield < CURRENT_TIMESTAMP | ||
EXTRACT(extract_field FROM extract_source) | Returns a single part of the date/time, such as year, month, day, hour, minute, etc. The extract_field argument can be one of the following keywords: YEAR, MONTH, DAY, HOUR, MINUTE, or SECOND. | Search all rows from the month of November: EXTRACT(MONTH FROM Datefield) = 11 | ||
Math | ABS(numeric_exp) | Returns the absolute (positive) value of the specified numeric expression. | ||
CEILING(numeric_exp) | Returns the smallest integer greater than, or equal to, the specified numeric expression. | |||
FLOOR(numeric_exp) | Returns the largest integer less than or equal to the specified numeric expression. | |||
LOG(float_exp) | Returns the natural logarithm of the specified float expression. | |||
LOG10(float_exp) | Returns the base-10 logarithm of the specified float expression. | |||
POWER(numeric_exp, integer_exp) | Returns the value of the specified expression to the specified power. | POWER(Numericfield, 2) = 16 | ||
ROUND(numeric_exp, integer_exp) | Returns a numeric value, rounded to the specified length or precision. | |||
TRUNCATE(numeric_exp, integer_exp) | Returns a numeric value without rounding the value to a specific length or precision. | |||
String | CHAR_LENGTH(string_exp) | Returns the length in characters of the input string. | ||
CONCAT(string_exp1, string_exp2) | Returns a string that is the result of concatenating two or more string values. | |||
LOWER(string_exp) | Returns a character expression after converting uppercase character data to lowercase. | |||
SUBSTRING(string_exp FROM start FOR length) | Returns part of a character or text expression. | Search all rows where the first two characters from values in Stringfield are Ch: SUBSTRING(Stringfield FROM 1 FOR 2)='Ch' | ||
UPPER(string_exp) | Returns a character expression with lowercase character data converted to uppercase. |