You can customize your filters by replacing input text to select one choice, as explained here:
Hope this helps
LalitS, thanks for your response, this would be a solution in cases where the possible values are not that many.
In Developer 18.104.22.168.0, and after looking at the logs, it seems that queries resulting from QBE use bind parameters (correct me if I am wrong).
Thus, they not are not are vulnerable to SQL injection.
Queries look like:
WHERE ( ( (CREATED_BY_USER LIKE ( :vc_temp_1 || '%') ) ) ) ORDER BY . . .
<OracleSQLBuilderImpl> <bindParamValue>  Binding param "vc_temp_1": abc%
where abc is the value i specify in the UI.
Timo thanks for your answer.
So far I am confident on the following (based on responses and other reading):
1) default implementation of Query By Example (QBE) (e.g. search fields) is "safe /safer" from/on SQL injection issues.
2) User entered data via non QBE fields (I assume this is "For other input text you" Timo mentions) should by checked against special characters (> < etc) to "prevent " cross side scripting.
However, should I do 2) for QBE filters on alphanumeric columns (default implementation) ? I can do it, but if I do it I would loose some searching functionality
as >, < are valid wildcard characters.