Dear Users,

If you must buildi a dynamic SOQL query, something like below, 

qryString += 'AND ' +filterField+ ' LIKE \'' +filterValue+ '%\' ';

 atleast have getter and setter methods defined something like this

    public String filterValue {
        get{return filterValue;}
        set{
        	if(value!=null)
            	filterValue = String.escapeSingleQuotes(value);
        	else
            	filterValue='';            
        }
    }
    public String filterField {
        get{return filterField;}
        set{
        	if(value!=null)
            	filterField = String.escapeSingleQuotes(value);
        	else
            	filterField ='';          
        }
    }

 This would prevent SOQL injection if user enters something like ' OR 1==1;/*  in the VF page. 

Feedback / Comments welcome. 

regards

SF Partner

Dear Users,

If you must buildi a dynamic SOQL query, something like below, 

qryString += 'AND ' +filterField+ ' LIKE \'' +filterValue+ '%\' ';

 atleast have getter and setter methods defined something like this

    public String filterValue {
        get{return filterValue;}
        set{
        	if(value!=null)
            	filterValue = String.escapeSingleQuotes(value);
        	else
            	filterValue='';            
        }
    }
    public String filterField {
        get{return filterField;}
        set{
        	if(value!=null)
            	filterField = String.escapeSingleQuotes(value);
        	else
            	filterField ='';          
        }
    }

 This would prevent SOQL injection if user enters something like ' OR 1==1;/*  in the VF page. 

Feedback / Comments welcome. 

regards

SF Partner