You need to sign in to do that
Don't have an account?
M Sreekanth
Is this code avoiding SOQL Injection
apex code:-
--------------
public class SOQL_Injection_Ex {
public string name{set;get;}
public string phone{set;get;}
public list<contact> conList{set;get;}
public void searchMe(){
//if i did'nt Entered any thing then show me all the the contacts
string query='Select id,FirstName,LastName,Phone,LeadSource from contact ';
//if i enterd only LastName and Phone then show me Enterd lastName and phone of the contacts
if(phone !='' && Name !=''){
query=query+'Where LastName =\''+name+'\'and phone =\''+phone+'\'';
}
//if i enterd only phone then show me Enterd Phone of the contacts
else if(Phone !=''){
query=query+'Where Phone =\''+phone+'\'';
}
//if i enterd only LastName then show me Enterd lastName of the contacts
else if(name !=''){
query=query+'Where LastName =\''+name+'\'';
}
conList=DataBase.query(query);
}
}
VF Page:-
------------
<apex:page controller="SOQL_Injection_Ex">
<apex:form >
<apex:pageblock title="Search Contacts">
<apex:pageBlockButtons location="Bottom">
<apex:commandButton action="{!searchMe}" value="Search"/>
</apex:pageBlockButtons>
<apex:pageBlockSection columns="1">
<apex:pageblockSectionItem >
<apex:outputLabel value="Enter Name"/>
<apex:inputtext value="{!name}"/>
</apex:pageblockSectionItem>
</apex:pageBlockSection>
<apex:pageBlockSection columns="1">
<apex:pageblockSectionItem >
<apex:outputLabel value="Enter Phone"/>
<apex:inputtext value="{!phone}"/>
</apex:pageblockSectionItem>
</apex:pageBlockSection>
</apex:pageblock>
<apex:pageBlock title="Contact List">
<apex:pageBlockTable value="{!conList}" var="c">
<apex:column value="{!c.LastName}"/>
<apex:column value="{!c.Phone}"/>
<apex:column value="{!c.LeadSource}"/>
</apex:pageBlockTable>
</apex:pageBlock>
</apex:form>
</apex:page>
If i enterd In phone field this text :- 81273623636 '\''+'And LastName=jso';
--------------
public class SOQL_Injection_Ex {
public string name{set;get;}
public string phone{set;get;}
public list<contact> conList{set;get;}
public void searchMe(){
//if i did'nt Entered any thing then show me all the the contacts
string query='Select id,FirstName,LastName,Phone,LeadSource from contact ';
//if i enterd only LastName and Phone then show me Enterd lastName and phone of the contacts
if(phone !='' && Name !=''){
query=query+'Where LastName =\''+name+'\'and phone =\''+phone+'\'';
}
//if i enterd only phone then show me Enterd Phone of the contacts
else if(Phone !=''){
query=query+'Where Phone =\''+phone+'\'';
}
//if i enterd only LastName then show me Enterd lastName of the contacts
else if(name !=''){
query=query+'Where LastName =\''+name+'\'';
}
conList=DataBase.query(query);
}
}
VF Page:-
------------
<apex:page controller="SOQL_Injection_Ex">
<apex:form >
<apex:pageblock title="Search Contacts">
<apex:pageBlockButtons location="Bottom">
<apex:commandButton action="{!searchMe}" value="Search"/>
</apex:pageBlockButtons>
<apex:pageBlockSection columns="1">
<apex:pageblockSectionItem >
<apex:outputLabel value="Enter Name"/>
<apex:inputtext value="{!name}"/>
</apex:pageblockSectionItem>
</apex:pageBlockSection>
<apex:pageBlockSection columns="1">
<apex:pageblockSectionItem >
<apex:outputLabel value="Enter Phone"/>
<apex:inputtext value="{!phone}"/>
</apex:pageblockSectionItem>
</apex:pageBlockSection>
</apex:pageblock>
<apex:pageBlock title="Contact List">
<apex:pageBlockTable value="{!conList}" var="c">
<apex:column value="{!c.LastName}"/>
<apex:column value="{!c.Phone}"/>
<apex:column value="{!c.LeadSource}"/>
</apex:pageBlockTable>
</apex:pageBlock>
</apex:form>
</apex:page>
If i enterd In phone field this text :- 81273623636 '\''+'And LastName=jso';
Yes if you use the input with some Quotation it will give the error. So you have to use `String.escapeSingleQuotes(name)` as below.
Let me know if you face any issues.
If this solution helps, Please mark it as best answer.
Thanks,
All Answers
Yes if you use the input with some Quotation it will give the error. So you have to use `String.escapeSingleQuotes(name)` as below.
Let me know if you face any issues.
If this solution helps, Please mark it as best answer.
Thanks,