How to prevent malicious/careless use of a QueryTask?

Discussion created by stevel on Jul 26, 2011
Latest reply on Jul 28, 2011 by
The samples using the Query and Find tasks carefully manage the query, for example using a point for the query.geometry, or only allowing a known field to be searched.

What are the best practices to avoid problems, when allowing the user to enter the query.where clause themselves?

For example, the user might enter 1=1 or OBJECTID > 1, resulting in the query timing out (especially if the query is returning the geometry).

One option could be to run QueryTask.executeForCount to ensure that no more than X features are returned - but even this requires the query to finish (or time out) before returning a count.