+ Start a Discussion
DipakDipak 

SOQL injection not working on Force.com security scanner

Hi All,

I have wriiten code, which use Dynamic SOQL. & also used "String.escapeSingleQuotes(value1)".But still it is showing SOQL injection Critical Error on http://security.force.com/security/tools/forcecom/scanner

Can any one check my application, UserId=    ishibe-cms@salesforce.com

Look at class cookieentryforwidgetinpagecontroller.cls for SOQL injection

Its urgent, please help me

sfdcchampionssfdcchampions

You havent shared your password, If possible share class code on community so that others can have a look and suggest something.

DipakDipak

Hi,
My COde contents are

 


        
        if((value1!=NULL && (value1.contains('%')||value1.contains('\''))) || (value2!=NULL && (value2.contains('%')||value2.contains('\''))) || (value3!=NULL && (value3.contains('%') || value3.contains('\''))) || (value4!=NULL && (value4.contains('%') || value4.contains('\''))) )
        {
            ApexPages.addmessage(new ApexPages.message(ApexPages.severity.ERROR,'Entered Invalid Data: Value Field should not contain % OR \''));
            return null;
        }
        if((field1!=NULL && (field1.contains('%')||field1.contains('\''))) || (field2!=NULL && (field2.contains('%')||field2.contains('\''))) || (field3!=NULL && (field3.contains('%') || field3.contains('\''))) || (field4!=NULL && (field4.contains('%') || field4.contains('\''))) )
        {
            ApexPages.addmessage(new ApexPages.message(ApexPages.severity.ERROR,'Entered Invalid Data: Value Field should not contain % OR \''));
            return null;
        }
        if((type!=NULL && (type.contains('%')||type.contains('\''))))
        {
            ApexPages.addmessage(new ApexPages.message(ApexPages.severity.ERROR,'Entered Invalid Data: Value Field should not contain % OR \''));
            return null;
        }
        type = String.escapeSingleQuotes(type);
        cookieList.clear();
        cd=new Set<CookieDetail__c>();
               
        /************Cookie Radio************/
       
        if(radio=='Cookie'){
            Double val1,val2,val3,val4;
           
            if(field1=='total_duration__c'||field1=='total_pv__c'||field1=='total_session__c'){
                val1=Double.valueOf(String.escapeSingleQuotes(value1));
                System.debug('######field1#####');
                //soql='select Id,Name,Browser__c,Display__c,OS__c,Total_Duration__c,total_pv__c,Total_Session__c from '+type+' where '+field1+operator1+val1;
                soql='select Id,Name,Browser__c,Display__c,OS__c,Total_Duration__c,total_pv__c,Total_Session__c from '+type+' where '+field1+operator1+val1;
            }
            else{
                System.debug('######Field Contains text values11#####'+field1);
                soql='select Id,Name,Browser__c,Display__c,OS__c,Total_Duration__c,Total_PV__c,Total_Session__c from '+type+' where '+field1+operator1+'\''+String.escapeSingleQuotes(value1)+'\'';
                if(operator1=='LIKE')
                    soql='select Id,Name,Browser__c,Display__c,OS__c,Total_Duration__c,Total_PV__c,Total_Session__c from '+type+' where '+field1+' '+operator1+' '+'\''+String.escapeSingleQuotes(value1)+'%'+'\''+ ' OR '+field1+' '+operator1+' '+'\''+'%'+String.escapeSingleQuotes(value1)+'\''+' OR '+field1+' '+operator1+' '+'\''+'%'+String.escapeSingleQuotes(value1)+'%'+'\'';
               
            }
           
            if(field2=='total_duration__c'||field2=='total_pv__c'||field2=='total_session__c'){
                val2=Double.valueOf(String.escapeSingleQuotes(value2));
                System.debug('######numberofemployees2#####');
                soql=soql+' and '+field2+operator2+val2;
            }
            if(field3=='total_duration__c'||field3=='total_pv__c'||field3=='total_session__c'){
                val3=Double.valueOf(String.escapeSingleQuotes(value3));
                System.debug('######numberofemployees3#####');
                soql=soql+' and '+field3+operator3+val3;
            }
            if(field4=='total_duration__c'||field4=='total_pv__c'||field4=='total_session__c'){
                val1=Double.valueOf(String.escapeSingleQuotes(value4));
                System.debug('######numberofemployees4#####');
                soql=soql+' and '+field4+operator4+val4;
            }
           
            else
            {
                System.debug('######Else----Field Contains text values--2#####');
                if((field2!='-None-' && operator2!='-None-') && (field2!='total_duration__c' && field2!='total_pv__c' && field2!='total_session__c')){
                    soql=soql+' and '+field2+operator2+'\''+String.escapeSingleQuotes(value2)+'\'';
                    if(operator2=='LIKE')
                        soql=soql+' and '+field2+' '+operator2+' '+'\''+String.escapeSingleQuotes(value2)+'%'+'\''+ ' OR '+field2+' '+operator2+' '+'\''+'%'+String.escapeSingleQuotes(value2)+'\''+' OR '+field2+' '+operator2+' '+'\''+'%'+String.escapeSingleQuotes(value2)+'%'+'\'';
                    }
                if((field3!='-None-' && operator3!='-None-') && (field3!='total_duration__c' && field3!='total_pv__c' && field3!='total_session__c')){
                    soql=soql+' and '+field3+operator3+'\''+String.escapeSingleQuotes(value3)+'\'';
                    if(operator3=='LIKE')
                        soql=soql+' and '+field3+' '+operator3+' '+'\''+String.escapeSingleQuotes(value3)+'%'+'\''+ ' OR '+field3+' '+operator3+' '+'\''+'%'+String.escapeSingleQuotes(value3)+'\''+' OR '+field3+' '+operator3+' '+'\''+'%'+String.escapeSingleQuotes(value3)+'%'+'\'';
                    }
                if((field4!='-None-' && operator4!='-None-') && (field4!='total_duration__c' && field4!='total_pv__c' && field4!='total_session__c')){
                    soql=soql+' and '+field4+operator4+'\''+String.escapeSingleQuotes(value4)+'\'';
                    if(operator4=='LIKE')
                        soql=soql+' and '+field4+' '+operator4+' '+'\''+String.escapeSingleQuotes(value4)+'%'+'\''+ ' OR '+field4+' '+operator4+' '+'\''+'%'+String.escapeSingleQuotes(value4)+'\''+' OR '+field4+' '+operator4+' '+'\''+'%'+String.escapeSingleQuotes(value4)+'%'+'\'';
                    }
                System.debug('######Else--End---Field Contains text values--2#####');
            }
        
        
                        
             for(CookieDetail__c cDetail:Database.query(soql)){
                 cookieList.add(new CookieDetailWrapper(cDetail));
             }
                    }

 

 

 

NOTE- Field1,2,3,4 are coming from a pick list
             Type also from a picklist
             Operator1,2,3,4 are also from picklist
             Only Value1,2,3,4 are to be filled up by user input at text box