SQL injections are a common security issue when users are given the freedom to construct their queries. One way to avoid them is by creating a custom procedure that acts as a wrapper, eliminating any risk of injection.
Here is an example procedure for filtering hand_on.cust view using country filter.
You can call it using a CALL functionality
Or, if the CALL is not available, you can query it like a table and specify the input variable name and value in a WHERE statement.