https://community.esri.com/t5/arcgis-experience-builder-questions/sql-injection-using-url-parameters/m-p/1685741#M22518 <P>I have a security concern about public faced experience builder applications. I was planning to use data_filter parameter to filter the data source with query expression. however, when I changed to some different expression, it also executes and returns features as expected behavior.<SPAN>User can also go to network tab, &nbsp;grab that url and can play with it. I have also restricted to see some sensitive information.&nbsp;</SPAN> We can restrict this by using proxy or server based apis to allow certain urls with a few parameter patterns, And also, using api keys. Is there any way to restrict sql injection from service level &nbsp;or server level?&nbsp;</P> Sat, 21 Feb 2026 17:32:27 GMT vijaybadugu 2026-02-21T17:32:27Z https://community.esri.com/t5/arcgis-experience-builder-questions/sql-injection-using-url-parameters/m-p/1685741#M22518 <P>I have a security concern about public faced experience builder applications. I was planning to use data_filter parameter to filter the data source with query expression. however, when I changed to some different expression, it also executes and returns features as expected behavior.<SPAN>User can also go to network tab, &nbsp;grab that url and can play with it. I have also restricted to see some sensitive information.&nbsp;</SPAN> We can restrict this by using proxy or server based apis to allow certain urls with a few parameter patterns, And also, using api keys. Is there any way to restrict sql injection from service level &nbsp;or server level?&nbsp;</P> Sat, 21 Feb 2026 17:32:27 GMT https://community.esri.com/t5/arcgis-experience-builder-questions/sql-injection-using-url-parameters/m-p/1685741#M22518 vijaybadugu 2026-02-21T17:32:27Z