stevel

How to prevent malicious/careless use of a QueryTask?

Discussion created by stevel on Jul 26, 2011
Latest reply on Jul 28, 2011 by ciava.at
The samples using the Query and Find tasks carefully manage the query, for example using a point for the query.geometry, or only allowing a known field to be searched.

What are the best practices to avoid problems, when allowing the user to enter the query.where clause themselves?

For example, the user might enter 1=1 or OBJECTID > 1, resulting in the query timing out (especially if the query is returning the geometry).

One option could be to run QueryTask.executeForCount to ensure that no more than X features are returned - but even this requires the query to finish (or time out) before returning a count.

Thanks,
Steve

Outcomes