Community
Select to view content in your preferred language

queryFeatures SQL Injection

386
2
07-31-2023 09:28 AM
AddisonShaw
by
New Contributor III
‎07-31-2023 09:28 AM

Looking at integrating queryFeatures into our application to segment a large feature service by client.

We have concerns about SQL Injection with this approach as it would be somewhat trivial to modify the client-side where clause to return whatever data you want from a layer.

How are we supposed to handle this use case? Is it possible to proxy a feature service through a backend service that itself is using something like the ArcGIS REST API? That way we could essentially hide the query implementation from end users.

0 Kudos
2 Replies
JohnGrayson
by Esri Regular Contributor
Esri Regular Contributor
‎08-03-2023 02:41 PM

Not sure if it helps in your specific use case, but if you are using an online hosted Feature Layer I would suggest you check out the capability to create hosted Feature Layer View and it's ability to configure filters.

0 Kudos
AddisonShaw
by
New Contributor III
‎08-04-2023 10:47 AM

That could definitely work! Do you have a link to documentation for how to call it programmatically?

0 Kudos