ArcGIS Server Javascript API - Search with apostrophes

Posted At : May 28, 2009 12:51 PM | Posted By : Trent
Related Categories: ArcGIS JS API, ArcGIS Server REST, ArcGIS Server

We recently came across an issue with our queryTask and findTask functions when using apostrophes. If you submit a query or find task and the search text contains an apostrophe, you will get the following result:

Unable to perform query. Please check your parameters.

This is actually an issue with SQL Sever and not the Javascript API. To get SQL Sever to recognize the single apostrophe, you need to replace the single apostrophe with a pair of apostrophes.

To fix this issue, we used the following javascript code:

var county = dojo.byId('countySelect').value;

county = county.replace("'","''");

This should be done for any queryTask or findTask where the data being searched contains apostrophes.

Comments (3) |

Print |

Send |

del.icio.us |

Digg It! |

Linking Blogs | 1671 Views

Comments (Comment Moderation is enabled. Your comment will not appear until approved.)

[Add Comment] [Subscribe to Comments]

That's an interesting one, that suggests that the values are going to the database as strings in the where clause, rather than as query parameters, which would suggest sql injection is a possibility.

# Posted By Dav | 6/3/09 7:13 AM

nice post

# Posted By KEYWORD | 6/28/09 3:36 AM

Came across your site when I started researching the potential for a SQL injection possibility in the REST API. Check this out: http://vishfulthinking.net/blog/post/exploringexpl.... Subqueries in the WHERE clause!

# Posted By Jeff Burgess | 7/28/09 11:28 PM

[Add Comment]

ABOUT

Become a Fan

We design and develop Geographic Information System (GIS) solutions for local governments and business organizations who want to make better decisions as a result of better information.
www.roktech.net
Do you have a ArcGIS Server / ArcIMS / SDE (or really anything ESRI) question? Lets have it!
jharris@roktech.net

Calendar