ArcGIS API for JavaScript FeatureLayer definitionExpression 被认定为sql注入攻击

背景

 　　目前有一个区的图斑数据需要分乡镇展示，所以采用FeatureLayer 的 definitionExpression 构造SQL语句进行过滤，官方提供的示例：

　　

// Set definition expression in constructor to only display trees with scientific name Ulmus pumila
const layer = new FeatureLayer({
  url: "https://services.arcgis.com/V6ZHFr6zdgNZuVG0/arcgis/rest/services/Landscape_Trees/FeatureServer/0",
  definitionExpression: "Sci_Name = 'Ulmus pumila'"
});

    　

 // Set the definition expression directly on layer instance to only display trees taller than 50ft
 layer.definitionExpression = "HEIGHT > 50";

 

 

　　这个问题出来后，直接让我懵逼了，总不能把十几个乡镇的图斑分别发布出来然后加载吧，这样子太麻烦了，当然这是最坏的打算。

　　“领导”的意思是让后端来封装一层，这个在其他纯前端项目还好，sql语句放到后端，返回个json就好了。但这毕竟是GIS项目，人家都封装好了，就需要个url，塞个json不合适吧....还说arcgis server发布的就只能做demo，搞得我有点怀疑人生了

环境

　　 Vue3.0

　　@arcgis/core

问题

 　　利用definitionExpression 虽然方便，但是处于安全考虑，在正式环境下会被拦截。现场给的回复是“URL(0141)::where=town%20%3D%20%27320509101000%27%20and%20xcdcqk%20%3C%3E%20%270%27”，被认定为sql注入攻击 拦截了

解决方案

　　其实这个只需要前端规避下在请求url里面不要携带‘where’即可，所以就不要想着直接在定义featurelayer时过滤了，这样子肯定还是会携带‘where’，所以考虑在featurelayer加载后再处理。

　　我的解决方案是利用layerview的filter来做筛选:

　　

// display rain gauges where their water percent is over 30%
// and if the gauges are completely contained by the 10-mile
// buffer around the filter geometry
featureLayerView.filter = new FeatureFilter({
  where: "percentile >= 30",
  geometry: filterPolygon,
  spatialRelationship: "contains",
  distance: 10,
  units: "miles"
});

 

对比

原实际项目代码：

　 

 let definitionExpression
    if (townCode) {
      definitionExpression = `town = '${townCode}' and xcdcqk <> '0'`
    } else {
      definitionExpression = "xcdcqk <> '0'"
    }

    const patchesLayer = new FeatureLayer({
      id: 'patchesLayer',
      title: '图斑',
      url: patchesLayerUrl,
      definitionExpression: definitionExpression, //直接在实例化FeatureLayer时设置
      outFields: [
        'objectid_1',
        'fwbh',
        'lon',
        'lat',
        'needCheck',
        'fwlb',
        'fwmj',
        'flloors',
        'height'
      ],
      objectIdField: 'objectid_1',
      editingEnabled: true,
      renderer: pathchRender
    })
    map.layers.add(patchesLayer)

 

　　请求效果图，能看到查询的url里面携带‘where’：

  

　　改良后的项目代码：

    let definitionExpression
    if (townCode) {
      definitionExpression = `town = '${townCode}' and xcdcqk <> '0'`
    } else {
      definitionExpression = "xcdcqk <> '0'"
    }

    const patchesLayer = new FeatureLayer({
      id: 'patchesLayer',
      title: '图斑',
      url: patchesLayerUrl,
      // definitionExpression: definitionExpression,
      outFields: [
        'objectid_1',
        'fwbh',
        'lon',
        'lat',
        'needCheck',
        'fwlb',
        'fwmj',
        'flloors',
        'height'
      ],
      objectIdField: 'objectid_1',
      editingEnabled: true,
      renderer: pathchRender
    })
    map.layers.add(patchesLayer)
    view.whenLayerView(patchesLayer).then((layerView) => {
      patchLayerView = layerView
    //用layerView过滤
      patchLayerView.filter = {
        where: definitionExpression
      }
    })

 

请求效果图,可以看到请求的url中已经不再携带‘where’：

　　

 

 

---

 

　　

 

 

 

 

 

 

---