+ Start a Discussion
RajusRajus 

parameter tampering issue.

Hi All,
I am getting Parameter_Tampering Issue in my apex code when i submit package for security review.It is coming specifically when i use string.escapeSingleQuotes(variable) to avoid SOQL-SOSL injection.

Do any one have idea about How to get rid of this issue.It ll be more helpful to me.

Thanks,
Rajesh.
Best Answer chosen by Rajus
vanessenvanessen
hello Rajus,
Got it to work.It is strange but the way to do it without getting the parameter tampering warning is as below :
t = [select Id, Status__c from Ticket__c where Id =:ApexPages.currentPage().getParameters().get('id')];

if you store the get id in a variable and use the variable then you will get the error.
(mark as answer if it suit)

All Answers

sunny.sfdcsunny.sfdc
Hi Rajesh

Please tell us more about the usage like where you are exactly using this method? It would be more helpful if you paste some code related to the issue as well.

Regards
Sachin
RajusRajus
Thanks Sachin for your reply.

Follwoing is my Apex code where i am getting the above issue.
public string recid{get;set;}
In constructor i wrote the following statement.
recid=ApexPages.currentPage().getParameters().get('id');

And i am using this recid in one of Apex method like below.
if(recid != null && recid != '')
List<Account> acc = [select Name from Account where id=:string.escapeSingleQuotes(recid)];



I dont know where i am doing wrong .If you have any idea that why this Vulnerabilty comes then pleas let me know.
Also please let me know if you need more information.

Thanks,
Rajesh.
vanessenvanessen
have you try the following code:
recid = EncodingUtil.urlEncode(ApexPages.currentPage().getParameters().get('id'),'UTF-8')
vanessenvanessen
this also not working :(  Im getting the same issue here. In fact, whenever you are storing the variable you are getting from the url, and is using this variable in a select, you get this error. In some doc about securities, that are telling to use post methods but, post methods also are retrieved via the .getParameters().get(). And for my case, i can't use post, because im calling my URL via javascript button created in salesforce itself (list button on the object). I don't seem to get any clue or answers on ho to do this. But at least can we pass this as a false positive on the review result ?
vanessenvanessen
hello Rajus,
Got it to work.It is strange but the way to do it without getting the parameter tampering warning is as below :
t = [select Id, Status__c from Ticket__c where Id =:ApexPages.currentPage().getParameters().get('id')];

if you store the get id in a variable and use the variable then you will get the error.
(mark as answer if it suit)
This was selected as the best answer