Looking at integrating queryFeatures into our application to segment a large feature service by client.
We have concerns about SQL Injection with this approach as it would be somewhat trivial to modify the client-side where clause to return whatever data you want from a layer.
How are we supposed to handle this use case? Is it possible to proxy a feature service through a backend service that itself is using something like the ArcGIS REST API? That way we could essentially hide the query implementation from end users.
Not sure if it helps in your specific use case, but if you are using an online hosted Feature Layer I would suggest you check out the capability to create hosted Feature Layer View and it's ability to configure filters.
That could definitely work! Do you have a link to documentation for how to call it programmatically?