+ Start a Discussion
soorya rsoorya r 

soql injection in dynamic soql query

Hi All,

I have submitted  code for security scanning but i got  "SOQL injection issue". Please any one help me to resolve this.
@RemoteAction
     public static string addrecordtothirdparty(string partId, string AuthToken, string instantURL, string recordIds, string IdAndTag, string MappingJSON) {
       
        WrapperClass.Details detailsWrapper = new WrapperClass.Details();
        try {
            map<Id,map<string,string>> recordLstFnl = new map<Id,map<string,string>>();
            list<Contact> conRecLst     = new list<Contact>();
            list<string> recIdsLst = new list<string>();
            map < String, Schema.SObjectField > contactFields = Schema.SObjectType.Contact.fields.getMap();
			map < String, Schema.SObjectField > accountFields = Schema.SObjectType.Account.fields.getMap();	
            list<Account> acntLst = new list<Account>();
            map<string,Account> acntMap = new map<string,Account>();
            map <String, Object> fieldMapping = (map <String, Object>) JSON.deserializeUntyped(MappingJSON);
            list<string> strLst = new list<string>();
            list<string> acntstrLst = new list<string>();
            
            list<string> IdAndTagLst = IdAndTag.split(',');
            string tag = IdAndTagLst[0];
            string Id = IdAndTagLst[1];
            
            recIdsLst = recordIds.split(',');
            
            for( Object str : fieldMapping.values() ) {
            	if( str != 'record_type') {
            		strLst.add(string.valueof(str));	
            	}	
            } 
               
		    string fieldLst = string.join(strLst,',');
		    string Query = 'select '+fieldLst+' from Contact where Id =: recIdsLst ';
		    conRecLst = Database.query(Query);
It is urgent!!!

Thanks in advance!
 
Steven NsubugaSteven Nsubuga
To be totally certain, check out the module on Trailhead https://trailhead.salesforce.com/en/content/learn/modules/secdev_injection_vulnerabilities/secdev_inject_prevent_soql_injection

In your case, I suspect they want you to escape the single quotes.
Below is my attempt to fix that.
@RemoteAction
     public static string addrecordtothirdparty(string partId, string AuthToken, string instantURL, string recordIds, string IdAndTag, string MappingJSON) {
       
        WrapperClass.Details detailsWrapper = new WrapperClass.Details();
        try {
            map<Id,map<string,string>> recordLstFnl = new map<Id,map<string,string>>();
            list<Contact> conRecLst     = new list<Contact>();
            list<string> recIdsLst = new list<string>();
            map < String, Schema.SObjectField > contactFields = Schema.SObjectType.Contact.fields.getMap();
			map < String, Schema.SObjectField > accountFields = Schema.SObjectType.Account.fields.getMap();	
            list<Account> acntLst = new list<Account>();
            map<string,Account> acntMap = new map<string,Account>();
            map <String, Object> fieldMapping = (map <String, Object>) JSON.deserializeUntyped(MappingJSON);
            list<string> strLst = new list<string>();
            list<string> acntstrLst = new list<string>();
            
            list<string> IdAndTagLst = string.escapeSingleQuotes(IdAndTag).split(',');
            string tag = IdAndTagLst[0];
            string Id = IdAndTagLst[1];
            
            recIdsLst = string.escapeSingleQuotes(recordIds).split(',');
            
            for( Object str : fieldMapping.values() ) {
            	if( str != 'record_type') {
            		strLst.add(string.valueof(str));	
            	}	
            } 
               
		    string fieldLst = string.join(strLst,',');
		    string Query = 'select '+fieldLst+' from Contact where Id =: recIdsLst ';
		    conRecLst = Database.query(Query);