function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
vanessenvanessen 

Second_Order_SOQL_SOSL_Injection

When trying to pass security review, I am getting this error, and there is no place where thsi is explained, but the error occur at the folllowing line :
for(Product_Resource_Category__c prc : [select Resource_Category__c,Resource_Category__r.Name,DT__c,OT__c,RT__c,TT__c,Quantity__c,Main_Resource__c
             from Product_Resource_Category__c
             where Product__c =:itemMap.get(ticketLine.Item__c).Product__c])
   {
    ......
    }
Blake TanonBlake Tanon
What are you tring to do with this?
itemMap.get(ticketLine.Item__c).Product__c

is it a map with the second piece being an sobject?  You can't do that in a query, you'll have to put the possible values into a set then query looking for that.
vanessenvanessen
Blake. The above code works fine.The problem is that, when i submit the code for review, it generate a second order solq injection warning on this line, where this SOQL is not dynamic, so how can it be prone to attack?
Blake TanonBlake Tanon
It is probably due to your where clause filtering by itemMap.get(ticketLine.Item__c).Product__c, this is dynamic.  It's hard to tell exactly without seeing what comes before this, what is your ticketLine variable and what is in yoru itemMap?