function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
M SreekanthM Sreekanth 

Is this code avoiding SOQL Injection

apex code:-
--------------
public class SOQL_Injection_Ex {
    public string name{set;get;}
    public string phone{set;get;}
    public list<contact> conList{set;get;}
    public void searchMe(){
        //if i did'nt Entered any thing then show me all the the contacts
        string query='Select id,FirstName,LastName,Phone,LeadSource from contact ';
        //if i enterd only LastName and Phone then show me Enterd lastName and phone of the contacts
        if(phone !='' && Name !=''){
        query=query+'Where LastName =\''+name+'\'and phone =\''+phone+'\'';
        }
        //if i enterd only phone then show me Enterd Phone of the contacts
        else if(Phone !=''){
            query=query+'Where Phone =\''+phone+'\'';
        }
       //if i enterd only LastName then show me Enterd lastName of the contacts
       else if(name !=''){
            query=query+'Where LastName =\''+name+'\'';
        }
        conList=DataBase.query(query);
    }
}

VF Page:-
------------
<apex:page controller="SOQL_Injection_Ex">
  <apex:form >
   <apex:pageblock title="Search Contacts">
    <apex:pageBlockButtons location="Bottom">
    <apex:commandButton action="{!searchMe}" value="Search"/>
    </apex:pageBlockButtons>
    <apex:pageBlockSection columns="1">
    <apex:pageblockSectionItem >
    <apex:outputLabel value="Enter Name"/>
    <apex:inputtext value="{!name}"/>
    </apex:pageblockSectionItem>
    </apex:pageBlockSection>
    
    <apex:pageBlockSection columns="1">
    <apex:pageblockSectionItem >
    <apex:outputLabel value="Enter Phone"/>
    <apex:inputtext value="{!phone}"/>
    </apex:pageblockSectionItem>
    </apex:pageBlockSection>
    </apex:pageblock>
    <apex:pageBlock title="Contact List">
    <apex:pageBlockTable value="{!conList}" var="c">
    <apex:column value="{!c.LastName}"/>
    <apex:column value="{!c.Phone}"/>
    <apex:column value="{!c.LeadSource}"/>
    </apex:pageBlockTable>
    </apex:pageBlock>
   
  </apex:form>
</apex:page>

If i enterd In phone field this text :- 81273623636 '\''+'And LastName=jso';
User-added image
Best Answer chosen by M Sreekanth
Sai PraveenSai Praveen (Salesforce Developers) 
Hi,

Yes if you use the input with some Quotation it will give the error. So you have to use `String.escapeSingleQuotes(name)` as below.
  
public class SOQL_Injection_Ex {
    public string name{set;get;}
    public string phone{set;get;}
    public list<contact> conList{set;get;}
    public void searchMe(){
        //if i did'nt Entered any thing then show me all the the contacts
        string query='Select id,FirstName,LastName,Phone,LeadSource from contact ';
        //if i enterd only LastName and Phone then show me Enterd lastName and phone of the contacts
       String nameafterescape=String.escapeSingleQuotes(name);
         String Phoneafterescape=String.escapeSingleQuotes(phone);
        if(phone !='' && Name !=''){
        query=query+'Where LastName =\''+String.escapeSingleQuotes(name) +'\'and phone =\''+String.escapeSingleQuotes(phone)+'\'';
        }
        //if i enterd only phone then show me Enterd Phone of the contacts
        else if(Phone !=''){
            query=query+'Where Phone =\'' + String.escapeSingleQuotes(phone) + '\'';
        }
       //if i enterd only LastName then show me Enterd lastName of the contacts
       else if(name !=''){
            query=query+'Where LastName =\'' + String.escapeSingleQuotes(name) + '\'';
        }
        system.debug('query'+query);
        conList=DataBase.query(query);
    }
}
Let me know if you face any issues.

If this solution helps, Please mark it as best answer.

Thanks,

All Answers

Sai PraveenSai Praveen (Salesforce Developers) 
Hi,

Yes if you use the input with some Quotation it will give the error. So you have to use `String.escapeSingleQuotes(name)` as below.
  
public class SOQL_Injection_Ex {
    public string name{set;get;}
    public string phone{set;get;}
    public list<contact> conList{set;get;}
    public void searchMe(){
        //if i did'nt Entered any thing then show me all the the contacts
        string query='Select id,FirstName,LastName,Phone,LeadSource from contact ';
        //if i enterd only LastName and Phone then show me Enterd lastName and phone of the contacts
       String nameafterescape=String.escapeSingleQuotes(name);
         String Phoneafterescape=String.escapeSingleQuotes(phone);
        if(phone !='' && Name !=''){
        query=query+'Where LastName =\''+String.escapeSingleQuotes(name) +'\'and phone =\''+String.escapeSingleQuotes(phone)+'\'';
        }
        //if i enterd only phone then show me Enterd Phone of the contacts
        else if(Phone !=''){
            query=query+'Where Phone =\'' + String.escapeSingleQuotes(phone) + '\'';
        }
       //if i enterd only LastName then show me Enterd lastName of the contacts
       else if(name !=''){
            query=query+'Where LastName =\'' + String.escapeSingleQuotes(name) + '\'';
        }
        system.debug('query'+query);
        conList=DataBase.query(query);
    }
}
Let me know if you face any issues.

If this solution helps, Please mark it as best answer.

Thanks,
This was selected as the best answer
M SreekanthM Sreekanth
Thank you so much pavan sorry for the delay replay
M SreekanthM Sreekanth
And where you learnt this type of advanced stuff can you suggest me any resorces that you followed for apex and aura also lwc