function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
Mitesh SuraMitesh Sura 

prevent SOQL injection

Dear Users,

 

If you must buildi a dynamic SOQL query, something like below, 

qryString += 'AND ' +filterField+ ' LIKE \'' +filterValue+ '%\' ';

 atleast have getter and setter methods defined something like this

    public String filterValue {
        get{return filterValue;}
        set{
        	if(value!=null)
            	filterValue = String.escapeSingleQuotes(value);
        	else
            	filterValue='';            
        }
    }
    public String filterField {
        get{return filterField;}
        set{
        	if(value!=null)
            	filterField = String.escapeSingleQuotes(value);
        	else
            	filterField ='';          
        }
    }

 This would prevent SOQL injection if user enters something like ' OR 1==1;/*  in the VF page. 

 

Feedback / Comments welcome. 

 

regards

SF Partner

Cory CowgillCory Cowgill

A helpful tip:

 

Make sure to do a security scan of your source code.

 

Force.com makes this super easy.

 

Just go to http://security.force.com/sourcescanner and input your username. It will automatically scan your org and send the email address in the org for that user a security report.

 

I believe this picks up Dynamic SOQL that has not had the Escape Quotes exeuted on its string if I remember correctly.

 

Also that is first thing Salesforce.com executes when they do their Security Review of your package, so running it yourself and correcting the issues before you submit it will save you time.

 

Mitesh SuraMitesh Sura

Thank Cory for quick responce, Appreciate it.

 

Thats what I do, but I was wondering if there is something that gets missed in online scaning? I would like to fix it upfront rather waiting weeks before I know from Salesforce. Yes it does pick, before the changes, it gave security error, now it does not. I hope it passes security review as well. 

 

Thanks again. 

 

 

Cory CowgillCory Cowgill

You may want to reach out to @ShobyAbdi on twitter.

 

He is guru on AppExchange process and how Security Review works and such.

bvlk.phanikumar1.3946168341572039E12bvlk.phanikumar1.3946168341572039E12
Hi Friends,

I am also facing the same issue about SOQL Injection. I tried to use the Id value to fetch the records from the Object and used Dynamic SOQL query.

we use method to get the id value from Apexpages.currentPage.getParameters.get('id') and assigned that value to a local string variable.

We used that string value in the soql string value.

we did security scan of our source code and it throws the issue for this and severtiy is "Critical".

Can you please help me to resolve this issue?

Regards,
Phanikumar
Mitesh SuraMitesh Sura
Phanikumar,

Security review and dyanamic SOQl is always tricky. That is most common issue are:

- Make sure you use "String.escapeSingleQuotes" for all parameters.  
- Remoce escape="false" in VF tags.
- Make sure user has delete/upsert access before making any DML calls.

You can always scan your code, but that is not very promising. Until you submit for review, you will not find all the security holes in your app. 

Hope this helps.

Mitesh
Mithra SreeMithra Sree
Great work by you Mitesh. I am a newbie here. Your article solved my dynamic query issue. Thanks!
AshwaniAshwani
Mitesh,

Code above may not pass the security review. The most important thing is how the final query forms so, if you use:

qryString += 'AND ' +String.escapeSingleQuotes(filterField)+ ' LIKE \'' +String.escapeSingleQuotes(filterValue)+ '%\' ';

then no matter what you did with the variable it won't affect security review.

Also try to use assigned variable in scope like:

qryString += 'AND that_field__c = :filterFieldVariable';
Database.query(qryString);


Sumitkumar_ShingaviSumitkumar_Shingavi
I would also suggest to use String.trim() method before escaping variable in addition to all above.