首页 > 数据库 >ArcGIS API for JavaScript FeatureLayer definitionExpression 被认定为sql注入攻击

ArcGIS API for JavaScript FeatureLayer definitionExpression 被认定为sql注入攻击

时间:2022-08-23 13:46:13浏览次数:115  
标签:autocasts color definitionExpression JavaScript FeatureLayer value new where

背景

   目前有一个区的图斑数据需要分乡镇展示,所以采用FeatureLayer 的 definitionExpression 构造SQL语句进行过滤,官方提供的示例

  

1 // Set definition expression in constructor to only display trees with scientific name Ulmus pumila
2 const layer = new FeatureLayer({
3   url: "https://services.arcgis.com/V6ZHFr6zdgNZuVG0/arcgis/rest/services/Landscape_Trees/FeatureServer/0",
4   definitionExpression: "Sci_Name = 'Ulmus pumila'"
5 });

     

 // Set the definition expression directly on layer instance to only display trees taller than 50ft
 layer.definitionExpression = "HEIGHT > 50";

 

 

  这个问题出来后,直接让我懵逼了,总不能把十几个乡镇的图斑分别发布出来然后加载吧,这样子太麻烦了,当然这是最坏的打算。

  “领导”的意思是让后端来封装一层,这个在其他纯前端项目还好,sql语句放到后端,返回个json就好了。但这毕竟是GIS项目,人家都封装好了,就需要个url,塞个json不合适吧....还说arcgis server发布的就只能做demo,搞得我有点怀疑人生了

环境

   Vue3.0

  @arcgis/core

问题

   利用definitionExpression 虽然方便,但是处于安全考虑,在正式环境下会被拦截。现场给的回复是“URL(0141)::where=town%20%3D%20%27320509101000%27%20and%20xcdcqk%20%3C%3E%20%270%27”,被认定为sql注入攻击 拦截了

解决方案

  其实这个只需要前端规避下在请求url里面不要携带‘where’即可,所以就不要想着直接在定义featurelayer时过滤了,这样子肯定还是会携带‘where’,所以考虑在featurelayer加载后再处理。

  我的解决方案是利用layerview的filter来做筛选:

  

 1 // display rain gauges where their water percent is over 30%
 2 // and if the gauges are completely contained by the 10-mile
 3 // buffer around the filter geometry
 4 featureLayerView.filter = new FeatureFilter({
 5   where: "percentile >= 30",
 6   geometry: filterPolygon,
 7   spatialRelationship: "contains",
 8   distance: 10,
 9   units: "miles"
10 });

 

对比

  项目原代码:

  

 1 let definitionExpression
 2       if (townCode) {
 3         definitionExpression = `town = '${townCode}' and xcdcqk <> '0'`
 4       } else {
 5         definitionExpression = "xcdcqk <> '0'"
 6       }
 7       const pathchRender = {
 8         type: 'unique-value',
 9         field: 'needCheck',
10         defaultSymbol: {
11           type: 'simple-fill', // autocasts as new SimpleFillSymbol()
12           color: [227, 139, 79, 0],
13           outline: {
14             // autocasts as new SimpleLineSymbol()
15 
16             color: [0, 245, 255],
17             width: 2.5
18           }
19         },
20         uniqueValueInfos: [
21           {
22             // All features with value of "East" will be green
23             value: 1,
24             symbol: {
25               type: 'simple-fill', // autocasts as new SimpleFillSymbol()
26               color: [227, 139, 79, 0],
27               outline: {
28                 // autocasts as new SimpleLineSymbol()
29                 color: [0, 245, 255],
30                 width: 2.5
31               }
32             }
33           },
34           {
35             // All features with value of "East" will be green
36             value: 0,
37             symbol: {
38               type: 'simple-fill', // autocasts as new SimpleFillSymbol()
39               color: [227, 139, 79, 0],
40               outline: {
41                 // autocasts as new SimpleLineSymbol()
42 
43                 color: [150, 150, 150],
44                 width: 2.5
45               }
46             }
47           }
48         ]
49       }
50 
51       const patchesLayer = new FeatureLayer({
52         id: 'patchesLayer',
53         title: '图斑',
54         url: patchesLayerUrl,
55         definitionExpression: definitionExpression,
56         outFields: [
57           'objectid_1',
58           'fwbh',
59           'lon',
60           'lat',
61           'needCheck',
62           'fwlb',
63           'fwmj',
64           'flloors',
65           'height'
66         ],
67         objectIdField: 'objectid_1',
68         editingEnabled: true,
69         renderer: pathchRender
70       })
71       map.layers.add(patchesLayer)
View Code

  请求效果图,能看到查询的url里面携带‘where’:

 

 

 

 

 

  改良后的项目代码:

 

 

 1 let definitionExpression
 2       if (townCode) {
 3         definitionExpression = `town = '${townCode}' and xcdcqk <> '0'`
 4       } else {
 5         definitionExpression = "xcdcqk <> '0'"
 6       }
 7       const pathchRender = {
 8         type: 'unique-value',
 9         field: 'needCheck',
10         defaultSymbol: {
11           type: 'simple-fill', // autocasts as new SimpleFillSymbol()
12           color: [227, 139, 79, 0],
13           outline: {
14             // autocasts as new SimpleLineSymbol()
15 
16             color: [0, 245, 255],
17             width: 2.5
18           }
19         },
20         uniqueValueInfos: [
21           {
22             // All features with value of "East" will be green
23             value: 1,
24             symbol: {
25               type: 'simple-fill', // autocasts as new SimpleFillSymbol()
26               color: [227, 139, 79, 0],
27               outline: {
28                 // autocasts as new SimpleLineSymbol()
29                 color: [0, 245, 255],
30                 width: 2.5
31               }
32             }
33           },
34           {
35             // All features with value of "East" will be green
36             value: 0,
37             symbol: {
38               type: 'simple-fill', // autocasts as new SimpleFillSymbol()
39               color: [227, 139, 79, 0],
40               outline: {
41                 // autocasts as new SimpleLineSymbol()
42 
43                 color: [150, 150, 150],
44                 width: 2.5
45               }
46             }
47           }
48         ]
49       }
50 
51       const patchesLayer = new FeatureLayer({
52         id: 'patchesLayer',
53         title: '图斑',
54         url: patchesLayerUrl,
55         // definitionExpression: definitionExpression,
56         outFields: [
57           'objectid_1',
58           'fwbh',
59           'lon',
60           'lat',
61           'needCheck',
62           'fwlb',
63           'fwmj',
64           'flloors',
65           'height'
66         ],
67         objectIdField: 'objectid_1',
68         editingEnabled: true,
69         renderer: pathchRender
70       })
71       map.layers.add(patchesLayer)
72       view.whenLayerView(patchesLayer).then((layerView) => {
73         patchLayerView = layerView
74         patchLayerView.filter = {
75           where: definitionExpression
76         }
77       })
View Code

请求效果图,可以看到请求的url中已经不再携带‘where’:

  

 

 

  

标签:autocasts,color,definitionExpression,JavaScript,FeatureLayer,value,new,where
From: https://www.cnblogs.com/youzi-xuchongyou/p/16615838.html

相关文章

  • Javascript日期、城市选择器(demo)
    1<htmlxmlns="http://www.w3.org/1999/xhtml">2<head>3<title>精美js日期选择器,js省市选择器-何问起</title>4<linktype="text/css"rel="Stylesheet"hre......
  • ArcGIS API for JavaScript Editor Widget 选中多个要素不显示名称
    背景 最近升级时遇到了之前碰到的问题,但是忘记解决方法了。又重新对比了旧代码才找到,所以记录下。FeatureLayer的构建方式不是url,而是用的source环境 Vu......
  • 【JavaScript】各种手写题汇总复习
    防抖functionthrottle(fun,time){lettimer=nullreturn()=>{if(timer){return}fun()timer=setTimeout(()=>{time......
  • js拆分选择题各选项【javascript将选择题选项通过正则表达式拆分出来】
    最近做题库项目需要添加试题,尤其是选择题逐个添加各选项很繁琐。通过以下正则表达式可以将选择题题目、选项迅速分离出来,并自动添加到选项文本框$("#split").clic......
  • 序言 - JavaScript指南
    序  言 对于JavaScript,一直想写点什么。成为软件工程师是很早的事情了,接触JavaScript也算比较早吧,在大学时,与不少程序员一样,在电脑前通宵达旦几天也不觉得疲倦。......
  • JavaScript实现数字前补“0”的五种方法示例
    来自:https://www.jb51.net/article/153945.htm侵删<!DOCTYPEhtmlPUBLIC"-//W3C//DTDXHTML1.0Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-trans......
  • JavaScript快速入门-04-运算符
    4运算符4.1算术运算符4.1.1概述  JavaScript提供的算术运算符如下所示:类型符号示例加法运算符+a+b减法运算符-a-b乘法运算符*a*b除......
  • 封面 - JavaScript指南
     IT软件开发之JavaScript   AGuidetoJavaScriptJavaScript指南-------------------------------------------------------------------------------争取做......
  • JavaScript(上)
    说说你对作用域链的理解作用域链的作用是保证执行环境里有权访问的变量和函数是有序的,作用域链的变量只能向上访问,变量访问到window对象即被终止,作用域链向下访问变......
  • JavaScript使用reduce动态修改对象的属性名
      首先在添加到数组的时候,弄2个,把number冒号右边的是可以动态修改的,后面再使用reduce合并;    countryChildrenDouble的数据     合并之后twoO......

赞助商

阅读排行

网站主页关于我们联系我们网站地图

本网站内容转载自其他媒体,侵权联系[admin##ips99.com]。

Copyright © 2020-2023 IPS99 版权所有 IPS99