+ Start a Discussion
Srinivasa Amarendra Reddy VakaSrinivasa Amarendra Reddy Vaka 

String in database select

Hi,

I am getting an error as below. Any help is appreciated.

"abc.cls gets user input from
element recordid. This input is later concatenated by the application directly into a string
variable containing SQL commands, without being validated. This string is then used in method
XXX to query the database select, at line 137 of forceapp/
main/default/classes/abc.cls, without any additional
filtering by the database. This could allow the user to tamper with the filter parameter."

112. public static string abc(String recordId) {

137. public static XXX(String recordId)
    {
153. Account act= [SELECT Id, Name, Member_Number__c, Phone FROM Account where Id = :recordId LIMIT 1];

what kind of validation do I need to do for the field recordID prior to that database query. Could anyone please help?

Regards
Amar
ryanschierholzryanschierholz
If you're trying to validate the recordId, you could check the length of the string to make sure it's 18 characters and also that it starts with 001 (the prefix for the Account object)