+ Start a Discussion

SOQL Security

Does user input in SOQL need to be escaped link SQL?


for example if i have 


$account = "SELECT Account.Name, (SELECT Quantity, PricebookEntry.ProductCode FROM OpportunityLineItems), Opportunity.Name, Opportunity.Id  FROM Opportunity WHERE Account.Id='$acc' AND Opportunity.saleComplete__c = true";


Where $acc is user input, would i need to escape this?


We handle all the necessary SQL injection escaping.  But you should always do user input sanitization.  It is possible for user input to alter the semantic meaning of your SOQL query.