You need to sign in to do that
Don't have an account?
big bang
How to deal with SOQL injection when use dynamic search
Dears,
I have a search page with several conditions, I pass the conditions to controller and make my search soql like this:
String soql = 'select Id , Name from Account where'; if (a != null) { soql += ' and xxx__c = \'' + a '\'' } if (b != null) { soql += ' and yyy__c = \'' + b '\'' } ...... List<Account> accList = Database.query(soql);
It seems like cannot pass the security scan because this is a soql injection.(Well, I just heard about that, I don't know whether this really cannot pass the scan...)
I read the wiki and other documents, they just say you should use static soql to put the parameters, like this:
PreparedStatement query = "select * from users where userid = :user and password = :password"; query.bindInt("user", Request.form("user").intValue()); query.bindString("password", getSaltedHash(Request.form("password"))); Database.executePreparedStatement(query);
But in my situation, I need to make the where clause dynamicly.
Is there some solutions to deal with it?
Waiting for your answers.
Thank you.
String soql = 'select Id , Name from Account where';
if (a != null) {
soql += ' and xxx__c = \'' + String.escapeSingleQuotes(a) +'\''
}
if (b != null) {
soql += ' and yyy__c = \'' + String.escapeSingleQuotes(b)+ '\''
}
......
List<Account> accList = Database.query(soql);
All Answers
The thing you are trying is in this blog...take a look
http://abhithetechknight.blogspot.in/2013/07/dynamic-soql-brief-description.html
Thanks
Abhi
String soql = 'select Id , Name from Account where';
if (a != null) {
soql += ' and xxx__c = \'' + String.escapeSingleQuotes(a) +'\''
}
if (b != null) {
soql += ' and yyy__c = \'' + String.escapeSingleQuotes(b)+ '\''
}
......
List<Account> accList = Database.query(soql);
Nice.
It seems like I just need some escapes.
Thanks.