Double Dashes in Chartstrings Blocked

On the new gateway, the Chart of Accounts API responds with a 403 error whenever I submit a chartstring that leaves out an optional code.


The Chart of Accounts API endpoints accept a chartstring as a query parameter or part of an xml request payload. A chartstring is comprised of seven separate codes combined into a single string in any of three ways:

  1. Delimited with dashes:  1-55221-19900-26412-44-EEMSIN-ELJLV
  2. Delimited with commas:  1,55221,19900,26412,44,EEMSIN,ELJLV
  3. Fixed position:  155221199002641244EEMSINELJLV

Since not all of the codes are always present, one or more missing codes results in a double dash ("--") somewhere in the parameter when using the dash method, e.g.,  1-55221-19900-26412-44--ELJLV

Two consecutive dashes also happens to be how one indicates the start of an in-line comment in SQL. Bad folks long ago figured out that this facilitates SQL code injection (see SQL Injection UNION Attacks), so the WAF protecting the API Gateway will reject any request that includes a double dash and return a "403 Forbidden" error.


Don't use the dash delimited method.  The recommended method is to delimit the codes using commas.

You can use the fixed position method of constructing the chartstring, but this requires representing any missing code (except at the end) with the correct number of spaces (each encoded as "%20" if used as the query parameter). Also, with this method an additional space must be included between the Program and Chartfield 1 codes.

For example, if there is no Chartfield-1 code (length = 6), your request would have to be:
(That's seven spaces between Program = "44" and Chartfield-2 = "ELJLV.")


In order to give you all enough time to make your applications eschew double dashes as much as we do, we've modified the WAF to allow them through, but only when found within a correctly formatted chartstring. The end date for this modification is yet to be determined–we'll be sure and give you plenty of warning.