+ Start a Discussion
SolutionSolution 

String.escapeSingleQuotes in Dynamic SOQL

Hello,

I am struck with the use of String.escapeSingleQuotes in Dynamic SOQL. I have one visualforce page which provides search page for user to search knowledge article records. There are 3 filters on page but only 1 field is a text file while others are picklists. I am using below query to get the list of article records.

qryString = 'SELECT Id, title, ArticleType, KnowledgeArticleId, UrlName FROM KnowledgeArticleVersion WHERE PublishStatus = \'online\' AND Language = \'en_US\' ';
qryString = qryString + 'AND ' + 'Title LIKE \' ' + String.escapeSingleQuotes(articleTitle) + '\' ';
articleList = Database.Query(qryString);

But m still getting SOQL SOSL injection issue while running security scan. Can someone please help me on this? 

Thanks in Advance!!!!!
Swati GSwati G
You can take String.escapeSingleQuotes value in some string variable and use that as a binding in dynamic query.

String title = String.escapeSingleQuotes(articleTitle);
qryString = 'SELECT Id, title, ArticleType, KnowledgeArticleId, UrlName FROM KnowledgeArticleVersion WHERE PublishStatus = \'online\' AND Language = \'en_US\' ';
qryString = qryString + 'AND ' + 'Title LIKE :title ';
articleList = Database.Query(qryString);
Ramu_SFDCRamu_SFDC
You can consider using JSENCODE method. Please review the below post & article for more information

https://developer.salesforce.com/forums/ForumsMain?id=906F00000008oE7IAI

http://www.salesforce.com/us/developer/docs/pages/Content/pages_variables_functions.htm