Starting November 20, the site will be set to read-only.
On December 4, 2023,
Apex Code Development (90768)
General Development (55146)
Visualforce Development (37251)
Lightning (18265)
APIs and Integration (17146)
Trailhead (11680)
Formulas & Validation Rules Discussion (11337)
Other Salesforce Applications (8116)
Jobs Board (6655)
Force.com Sites & Site.com (4842)
Mobile (2694)
You need to sign in to do that
Don't have an account?
ReeaDeveloper Hello. I am running a dynamic soql statement that mimics 'SELECT * FROM Table Where ID = value'.
So i have my query = 'SELECT field1,field2,.... WHERE Id = ' + value. I get value from the url as a parameter. I wanted to know if it is possible to add parameter of somehow to verify that my value is of type ID and prevent sql injection.
Thanks.
In order to ensure the parameter from the URL is an ID, you could store it in an ID, e.g.
String idStr=ApexPages.currentPage().getParameters().get('id'); ID contId=idStr;This will throw an exception if the parameter isn't an id.
You can then bind contId to the SOQL query as suggested above.
All Answers
Hi,
You can get the parameter from the URL in the controller by using below snippets
String di1=ApexPages.currentPage().getParameters().get('id');
You can execute dynamic query on the basis of the URL parameter
String query= ‘select name,email,phone from contact where id =:’+ di1;
sObject S = Database.query(query);
Did this answer your question? If not, let me know what didn't work, or if so, please mark it solved.
In order to ensure the parameter from the URL is an ID, you could store it in an ID, e.g.
String idStr=ApexPages.currentPage().getParameters().get('id'); ID contId=idStr;This will throw an exception if the parameter isn't an id.
You can then bind contId to the SOQL query as suggested above.