Potential for SQL injection using QueryDataSource

4113
2
02-04-2015 07:21 AM
BillDaigle
Occasional Contributor III

I would really like to start adding layers to my applications using Dynamic Layers and the QueryDataSource class.  This would allow me to display some relatively complex relationships on the fly with minimal input from users and without having to pre-symbolize and anticipate all possible combinations in a map service beforehand.

My only concern is that exposing SQL queries through a client-side application might open us up to SQL injection.  Is anyone out there working with the QueryDataSource class?  Are there any built-in safegaurds against SQL injection?

0 Kudos
2 Replies
PaulCrickard
New Contributor III

I think this is hitting a REST Endpoint so the security is handled by ArcServer.

0 Kudos
BillDaigle
Occasional Contributor III

It looks like the parameter "useStandardizedQueries" that was added at 10.2  http://resources.arcgis.com/en/help/arcgis-rest-api/index.html#//02r3000000p1000000 ​likely addresses my concern. 

0 Kudos