You need to sign in to do that
Don't have an account?
Dipak
SOQL injection not working on Force.com security scanner
Hi All,
I have wriiten code, which use Dynamic SOQL. & also used "String.escapeSingleQuotes(value1)".But still it is showing SOQL injection Critical Error on http://security.force.com/security/tools/forcecom/scanner
Can any one check my application, UserId= ishibe-cms@salesforce.com
Look at class cookieentryforwidgetinpagecontroller.cls for SOQL injection
Its urgent, please help me
You havent shared your password, If possible share class code on community so that others can have a look and suggest something.
Hi,
My COde contents are
if((value1!=NULL && (value1.contains('%')||value1.contains('\''))) || (value2!=NULL && (value2.contains('%')||value2.contains('\''))) || (value3!=NULL && (value3.contains('%') || value3.contains('\''))) || (value4!=NULL && (value4.contains('%') || value4.contains('\''))) )
{
ApexPages.addmessage(new ApexPages.message(ApexPages.severity.ERROR,'Entered Invalid Data: Value Field should not contain % OR \''));
return null;
}
if((field1!=NULL && (field1.contains('%')||field1.contains('\''))) || (field2!=NULL && (field2.contains('%')||field2.contains('\''))) || (field3!=NULL && (field3.contains('%') || field3.contains('\''))) || (field4!=NULL && (field4.contains('%') || field4.contains('\''))) )
{
ApexPages.addmessage(new ApexPages.message(ApexPages.severity.ERROR,'Entered Invalid Data: Value Field should not contain % OR \''));
return null;
}
if((type!=NULL && (type.contains('%')||type.contains('\''))))
{
ApexPages.addmessage(new ApexPages.message(ApexPages.severity.ERROR,'Entered Invalid Data: Value Field should not contain % OR \''));
return null;
}
type = String.escapeSingleQuotes(type);
cookieList.clear();
cd=new Set<CookieDetail__c>();
/************Cookie Radio************/
if(radio=='Cookie'){
Double val1,val2,val3,val4;
if(field1=='total_duration__c'||field1=='total_pv__c'||field1=='total_session__c'){
val1=Double.valueOf(String.escapeSingleQuotes(value1));
System.debug('######field1#####');
//soql='select Id,Name,Browser__c,Display__c,OS__c,Total_Duration__c,total_pv__c,Total_Session__c from '+type+' where '+field1+operator1+val1;
soql='select Id,Name,Browser__c,Display__c,OS__c,Total_Duration__c,total_pv__c,Total_Session__c from '+type+' where '+field1+operator1+val1;
}
else{
System.debug('######Field Contains text values11#####'+field1);
soql='select Id,Name,Browser__c,Display__c,OS__c,Total_Duration__c,Total_PV__c,Total_Session__c from '+type+' where '+field1+operator1+'\''+String.escapeSingleQuotes(value1)+'\'';
if(operator1=='LIKE')
soql='select Id,Name,Browser__c,Display__c,OS__c,Total_Duration__c,Total_PV__c,Total_Session__c from '+type+' where '+field1+' '+operator1+' '+'\''+String.escapeSingleQuotes(value1)+'%'+'\''+ ' OR '+field1+' '+operator1+' '+'\''+'%'+String.escapeSingleQuotes(value1)+'\''+' OR '+field1+' '+operator1+' '+'\''+'%'+String.escapeSingleQuotes(value1)+'%'+'\'';
}
if(field2=='total_duration__c'||field2=='total_pv__c'||field2=='total_session__c'){
val2=Double.valueOf(String.escapeSingleQuotes(value2));
System.debug('######numberofemployees2#####');
soql=soql+' and '+field2+operator2+val2;
}
if(field3=='total_duration__c'||field3=='total_pv__c'||field3=='total_session__c'){
val3=Double.valueOf(String.escapeSingleQuotes(value3));
System.debug('######numberofemployees3#####');
soql=soql+' and '+field3+operator3+val3;
}
if(field4=='total_duration__c'||field4=='total_pv__c'||field4=='total_session__c'){
val1=Double.valueOf(String.escapeSingleQuotes(value4));
System.debug('######numberofemployees4#####');
soql=soql+' and '+field4+operator4+val4;
}
else
{
System.debug('######Else----Field Contains text values--2#####');
if((field2!='-None-' && operator2!='-None-') && (field2!='total_duration__c' && field2!='total_pv__c' && field2!='total_session__c')){
soql=soql+' and '+field2+operator2+'\''+String.escapeSingleQuotes(value2)+'\'';
if(operator2=='LIKE')
soql=soql+' and '+field2+' '+operator2+' '+'\''+String.escapeSingleQuotes(value2)+'%'+'\''+ ' OR '+field2+' '+operator2+' '+'\''+'%'+String.escapeSingleQuotes(value2)+'\''+' OR '+field2+' '+operator2+' '+'\''+'%'+String.escapeSingleQuotes(value2)+'%'+'\'';
}
if((field3!='-None-' && operator3!='-None-') && (field3!='total_duration__c' && field3!='total_pv__c' && field3!='total_session__c')){
soql=soql+' and '+field3+operator3+'\''+String.escapeSingleQuotes(value3)+'\'';
if(operator3=='LIKE')
soql=soql+' and '+field3+' '+operator3+' '+'\''+String.escapeSingleQuotes(value3)+'%'+'\''+ ' OR '+field3+' '+operator3+' '+'\''+'%'+String.escapeSingleQuotes(value3)+'\''+' OR '+field3+' '+operator3+' '+'\''+'%'+String.escapeSingleQuotes(value3)+'%'+'\'';
}
if((field4!='-None-' && operator4!='-None-') && (field4!='total_duration__c' && field4!='total_pv__c' && field4!='total_session__c')){
soql=soql+' and '+field4+operator4+'\''+String.escapeSingleQuotes(value4)+'\'';
if(operator4=='LIKE')
soql=soql+' and '+field4+' '+operator4+' '+'\''+String.escapeSingleQuotes(value4)+'%'+'\''+ ' OR '+field4+' '+operator4+' '+'\''+'%'+String.escapeSingleQuotes(value4)+'\''+' OR '+field4+' '+operator4+' '+'\''+'%'+String.escapeSingleQuotes(value4)+'%'+'\'';
}
System.debug('######Else--End---Field Contains text values--2#####');
}
for(CookieDetail__c cDetail:Database.query(soql)){
cookieList.add(new CookieDetailWrapper(cDetail));
}
}
NOTE- Field1,2,3,4 are coming from a pick list
Type also from a picklist
Operator1,2,3,4 are also from picklist
Only Value1,2,3,4 are to be filled up by user input at text box