Select to view content in your preferred language

queryFeatures SQL Injection

474
2
07-31-2023 09:28 AM
AddisonShaw
Occasional Contributor

Looking at integrating queryFeatures into our application to segment a large feature service by client.

We have concerns about SQL Injection with this approach as it would be somewhat trivial to modify the client-side where clause to return whatever data you want from a layer.

How are we supposed to handle this use case? Is it possible to proxy a feature service through a backend service that itself is using something like the ArcGIS REST API? That way we could essentially hide the query implementation from end users.

0 Kudos
2 Replies
JohnGrayson
Esri Regular Contributor

Not sure if it helps in your specific use case, but if you are using an online hosted Feature Layer I would suggest you check out the capability to create hosted Feature Layer View and it's ability to configure filters.

0 Kudos
AddisonShaw
Occasional Contributor

That could definitely work! Do you have a link to documentation for how to call it programmatically?

0 Kudos