https://community.esri.com/t5/arcgis-javascript-maps-sdk-questions/how-to-use-parametervalues/m-p/1084440#M74076 <P>I just use basic js. Below is a small sample of how I read the url parameters and process... So just grab your parameters from url (.../index.html?param1=xx&amp;param2?=yy....) and do your query. This is a code in one of my custom widgets in WAB. So you will see use of this. Another option is to use node.js.</P><P>PS. I posted the code using the "insert code sample" and it looks good on preview. Don't know why when it's posted it shows with no formatting. Sorry.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="javascript">urlSubstring = location.search; console.log(urlSubstring) if (urlSubstring.includes("?")) { this.geturl(urlSubstring); } ------- ------ geturl: function (urlSubstring) { urlSubstring = location.search.substring(1); if (urlSubstring.indexOf("?") &gt; 0) { var myparams1 = urlSubstring.split('?'); urlSubstring = myparams1[1]; } if (urlSubstring) { var params = urlSubstring.split('&amp;'); var length = params.length; var i; var index; index = -1; for (i = 0; i &lt; length; i++) { var variablesPair = params[i]; if ((index = variablesPair.indexOf("=")) &gt;= 0) { var varReceived = variablesPair.substring(0, index); var valueReceived = variablesPair.substring(index + 1); if (varReceived == "apn") { apn = valueReceived; this.gettheParcel(apn); } if (varReceived == "county") { ----- -----</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 30 Jul 2021 17:12:12 GMT LefterisKoumis 2021-07-30T17:12:12Z https://community.esri.com/t5/arcgis-javascript-maps-sdk-questions/how-to-use-parametervalues/m-p/1084405#M74075 <P>I am trying to execute queries on a layer based on user input. All the examples I see for doing this look something like this:</P><LI-CODE lang="javascript">query.where = "NAME = '" + rawUserInput + "'";</LI-CODE><P>I'm aware that the risk of SQL injection is something the server administrator is responsible for taking care of, however even when ignoring potential security issues, we still have inconvenient bugs to be concerned about. I will still need to think about escaping single quotes, and who knows what other special characters, before dumping them into the query.</P><P>It would certainly be nice if we could do properly parameterized queries. I see there's a <A href="https://developers.arcgis.com/javascript/latest/api-reference/esri-rest-support-Query.html#parameterValues" target="_blank" rel="noopener">parameterValues</A> property I could use, however I can't actually figure out how to use it, and I see no examples anywhere in all my web searches.</P><P>Are parameterized queries even possible? Can I have an example?</P><P><A href="https://stackoverflow.com/q/68579214/138757" target="_blank" rel="noopener">Related StackOverflow question</A>&nbsp;</P><P><A href="https://www.reddit.com/r/gis/comments/al4979/arcgis_api_for_javascript_querytask_sql_injection/" target="_blank" rel="noopener">Related Reddit thread</A>&nbsp;</P><P>&nbsp;</P> Fri, 30 Jul 2021 14:24:43 GMT https://community.esri.com/t5/arcgis-javascript-maps-sdk-questions/how-to-use-parametervalues/m-p/1084405#M74075 pcrock 2021-07-30T14:24:43Z https://community.esri.com/t5/arcgis-javascript-maps-sdk-questions/how-to-use-parametervalues/m-p/1084440#M74076 <P>I just use basic js. Below is a small sample of how I read the url parameters and process... So just grab your parameters from url (.../index.html?param1=xx&amp;param2?=yy....) and do your query. This is a code in one of my custom widgets in WAB. So you will see use of this. Another option is to use node.js.</P><P>PS. I posted the code using the "insert code sample" and it looks good on preview. Don't know why when it's posted it shows with no formatting. Sorry.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="javascript">urlSubstring = location.search; console.log(urlSubstring) if (urlSubstring.includes("?")) { this.geturl(urlSubstring); } ------- ------ geturl: function (urlSubstring) { urlSubstring = location.search.substring(1); if (urlSubstring.indexOf("?") &gt; 0) { var myparams1 = urlSubstring.split('?'); urlSubstring = myparams1[1]; } if (urlSubstring) { var params = urlSubstring.split('&amp;'); var length = params.length; var i; var index; index = -1; for (i = 0; i &lt; length; i++) { var variablesPair = params[i]; if ((index = variablesPair.indexOf("=")) &gt;= 0) { var varReceived = variablesPair.substring(0, index); var valueReceived = variablesPair.substring(index + 1); if (varReceived == "apn") { apn = valueReceived; this.gettheParcel(apn); } if (varReceived == "county") { ----- -----</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 30 Jul 2021 17:12:12 GMT https://community.esri.com/t5/arcgis-javascript-maps-sdk-questions/how-to-use-parametervalues/m-p/1084440#M74076 LefterisKoumis 2021-07-30T17:12:12Z https://community.esri.com/t5/arcgis-javascript-maps-sdk-questions/how-to-use-parametervalues/m-p/1085059#M74103 <P>Hi there,&nbsp;</P><P>Just a quick note on the <A href="https://developers.arcgis.com/javascript/latest/api-reference/esri-rest-support-Query.html#parameterValues" target="_self">parameterValues</A>. This parameter can only be used with ArcGIS map service that was published from a query layer. We will update the document to clarify this point.&nbsp;</P><P><A href="https://pro.arcgis.com/en/pro-app/latest/help/mapping/layer-properties/creating-a-query-layer.htm" target="_self">This document</A> talks about how to create a query layer in ArcGIS Pro and <A href="https://developers.arcgis.com/rest/services-reference/enterprise/query-map-service-layer-.htm" target="_self">this rest api doc</A> explains what parameterValues is.&nbsp;</P><P>Hope this clarifies what parameterValues does.&nbsp;</P><P>-Undral</P> Mon, 02 Aug 2021 19:14:03 GMT https://community.esri.com/t5/arcgis-javascript-maps-sdk-questions/how-to-use-parametervalues/m-p/1085059#M74103 UndralBatsukh 2021-08-02T19:14:03Z