+ Start a Discussion

SQL Injection of parameters in SOQL query when using java to execute a SOQL query via the REST API


I have been writing Java code to access SFDC via the REST API and the security folks have come back saying that the dynamic SOQL queries are prone to SQL Injection.Is there a way to use PreparedStatements when making the REST API call with a SOQL query to SFDC ?


Here is an example of what I am doing:

String escapedDeviceId = null;
if (deviceId != null) {
escapedDeviceId = StringEscapeUtils.escapeHtml(deviceId);
escapedDeviceId = encodeSqlString(escapedDeviceId);
} else {
removeDeviceId = true;
// set query string
String queryStr = null;

queryStr = "Select Token__c, fdgf, fdgf1, edr1, OutofSyncFlag__c, Id, fdgf, Contact__c From fdgfg__c where "
+ "Pin__c='"
+ escapedPin
+ "' and DeviceId__c='"
+ escapedDeviceId
+ "' and OutofSyncFlag__c = false LIMIT 1";

List<NameValuePair> qparams = new ArrayList<NameValuePair>();
qparams.add(new BasicNameValuePair("q", queryStr));
URI uri = null;
uri = URIUtils.createURI("https", instanceUrl, -1,
URLEncodedUtils.format(qparams, "UTF-8"), null);

I am using Apache HttpClient to make the call.I am also using the OWASP ESAPI library to encode SQL strings now.





SOQL queries themselves are not vulnerable to SQL injection, meaning nobody is ever going to get into the actual salesforce DB.  But your security team is right in that your specific SOQL query could be open to SOQL injection.  So you will need to sanitize any user input that you'll be including in the SOQL query you send to salesforce.


FWIW, the risk from SOQL injection is not incredibly high.  There's no way the user could, for example, delete everything in your salesforce instance.  But it's still a good idea to sanitize user input.