+ Start a Discussion
sfpsfp 

Security Scanner SOQL injection even used the escapeSingleQuotes

Query Name - SOQL_SOSL_Injection
Severity - Critical
7. public UserController() //usercontroller.cls
...
10. id = apexpages.currentpage().getparameters().get('id');

My code: 

public UserController() {
        try {
            user = new User__c();
            id = apexpages.currentpage().getparameters().get('id');
            if (id != null) {                    
                    user = [SELECT Id, Id__c, FirstName__c, LastName__c, MobilePhone__c, Username__c, Status__c FROM User__c where id =: string.escapeSingleQuotes(id)];
            }
        } catch(QueryException e) {
            ApexPages.Message msg = new ApexPages.Message(ApexPages.Severity.ERROR, 'Invalid User: '+id);
            ApexPages.addMessage(msg);
        }
    }

Please help out this issue. 

Thanks,
Mohan

 
ClintLeeClintLee
Hi Mohan,

Try to escape the string outside of the SOQL query.  Like this:
 
if (id != null) {
    id = String.escapeSingleQuotes(id);
    user = [SELECT Id
                  ,Id__c
                  ,FirstName__c
                  ,LastName__c
                  ,MobilePhone__c
                  ,Username__c
                  ,Status__c 
               FROM User__c 
              WHERE Id = :id];
}

Hope that helps,

Clint