Security Scanner SOQL injection even used the escapeSingleQuotes

Query Name - SOQL_SOSL_Injection
Severity - Critical
7. public UserController() //usercontroller.cls
...
10. id = apexpages.currentpage().getparameters().get('id');

My code:

public UserController() {
       try {
           user = new User__c();
           id = apexpages.currentpage().getparameters().get('id');
           if (id != null) {
                   user = [SELECT Id, Id__c, FirstName__c, LastName__c, MobilePhone__c, Username__c, Status__c FROM User__c where id =: string.escapeSingleQuotes(id)];
           }
       } catch(QueryException e) {
           ApexPages.Message msg = new ApexPages.Message(ApexPages.Severity.ERROR, 'Invalid User: '+id);
           ApexPages.addMessage(msg);
   }
   }

Please help out this issue.

Thanks,
Mohan

August 20, 2015
·
Answer
·
Like
0
·
Follow
1

ClintLee
Hi Mohan,

Try to escape the string outside of the SOQL query. Like this:

if (id != null) { id = String.escapeSingleQuotes(id); user = [SELECT Id ,Id__c ,FirstName__c ,LastName__c ,MobilePhone__c ,Username__c ,Status__c FROM User__c WHERE Id = :id]; }

Hope that helps,

Clint

August 25, 2015
·
Like
0
·
Dislike
0

You need to sign in to do that.

Need an account? Sign Up

Have an account? Sign In

Dismiss

Browse by Topic

Welcome to Support!

Show

sorted by

Security Scanner SOQL injection even used the escapeSingleQuotes

You need to sign in to do that.