Hi,

I have been writing Java code to access SFDC via the REST API and the security folks have come back saying that the dynamic SOQL queries are prone to SQL Injection.Is there a way to use PreparedStatements when making the REST API call with a SOQL query to SFDC ?

Here is an example of what I am doing:

String escapedDeviceId = null;
if (deviceId != null) {
escapedDeviceId = StringEscapeUtils.escapeHtml(deviceId);
escapedDeviceId = encodeSqlString(escapedDeviceId);
} else {
removeDeviceId = true;
}
// set query string
String queryStr = null;

queryStr = "Select Token__c, fdgf, fdgf1, edr1, OutofSyncFlag__c, Id, fdgf, Contact__c From fdgfg__c where "
+ "Pin__c='"
+ escapedPin
+ "' and DeviceId__c='"
+ escapedDeviceId
+ "' and OutofSyncFlag__c = false LIMIT 1";

List<NameValuePair> qparams = new ArrayList<NameValuePair>();
qparams.add(new BasicNameValuePair("q", queryStr));
URI uri = null;
...
uri = URIUtils.createURI("https", instanceUrl, -1,
"/services/data/v20.0/query",
URLEncodedUtils.format(qparams, "UTF-8"), null);
.....

I am using Apache HttpClient to make the call.I am also using the OWASP ESAPI library to encode SQL strings now.

https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet#Escaping_Dynamic_Queries

TIA,

Vijay

Hi,
I am trying to do an update of a Custom Object with java and Apache HttpClient 4 and getting a 400 Bad request error. I tried both _HttpPatch and the method below.Thanks for any help.

TIA,

Vijay

I blanked out he pod below to xxxxx-

URI:https://xxxxxx-salesforce.com/services/data/v20.0/sobjects/DeviceIdentifyingInfo__c/a1AK00000004HFaMAM

 status return code is not OK:400:HTTP/1.1 400 Bad Request
 
 Code snippet below:
 
 String url = "https://" + instanceUrl
  + "/services/data/v20.0/sobjects/DeviceIdentifyingInfo__c/"
  + escapedId;
//     + escapedId + "?_HttpMethod=PATCH";
 HttpPost post = new HttpPost(url)
{
 @Override
 public String getMethod() {
  return "PATCH";
 }
};

post.addHeader("Authorization", "OAuth " + sessionId);
HttpParams params = post.getParams();
HttpConnectionParams.setSoTimeout(params, connectionTimeoutInt);

post.setParams(params);
org.json.JSONObject device = new org.json.JSONObject();

try {
 device.put("Id", escapedId);

 device.put("Token__c", escapedToken);
}

StringEntity se = new StringEntity(device.toString());

post.setEntity(se);

post.setHeader("Content-type", "application/json");

// httpclient.executeMethod(get);
HttpResponse httpResponse = httpclient.execute(post);

if (httpResponse.getStatusLine() != null
&& httpResponse.getStatusLine().getStatusCode() == HttpStatus.SC_OK) {

} else {
//error 400<====
}

Hi,

How do I return a picklist of values from an Entity via REST API call?

Here is how I do this in Apex code:

Caller code:

xxxxHelper.getSelectOptions(Account.Question1__pc.getDescribe());

Called code:

public static List<SelectOption> getSelectOptions(Schema.DescribeFieldResult fieldResult) {

List<SelectOption> options = new List<SelectOption>();

for (Schema.PickListEntry ple : fieldResult.getPickListValues()) {

options.add(new SelectOption(ple.getLabel(), ple.getValue()));

}

return options;

}

I do see an equivalent  /Account/describe but I am not sure how to map it into the call above to get the PickList values ?

TIA,

Vijay

I have been trying to use wsc to access Salesforce using a Customer Portal login. I don’t see a place to put in the orgId and portalId to be able to log into Salesforce as is provided by for example the Flex for Force code.

Connection.organizationId = Parameters.orgid;

Connection.portalId = Parameters.portalid;

Is there a way I can log into Salesforce for a Customer Portal user ?

I am able to log in fine for a normal Salesforce user but not for a Customer Portal user.

Is there a ConnectorConfig.set...  to set the org and portalid similar to what the Flex for force code does to login a Customer Portal user ?

I am also using the Enteprise wsdl.

TIA,

Vijay

Hi,

I created a custom Object and Exposed it via  a Web service. I would like to access the data from a client using jQuery. Is it possible to access it anonymously without having to log into Salesforce ?

TIA,

V

Hi,

I am trying to update the HTML editor of the Flow designer to use rich HTML, hand coded css and javascript and remove the html,head and body tag as i want the whole page to be part of 1 HTML document ? For some reason, I am not able to do this.

I am starting with trying to change the css only and removing the html,body,head tags from the Statement to just leave the content there but it doesn't seem to let me.I want it to look like the web page flow and I was starting to edit the 1st page of the interview flow to make it highly rich and customized based on our css requirements.

Any ideas?

TIA,

Vijay

Hi,

I am trying to update the HTML editor of the Flow designer to use rich HTML, hand coded css and javascript and remove the html,head and body tag as i want the whole page to be part of 1 HTML document ? For some reason, I am noT ABLE TO DO THIS.

I am starting with trying to change the css only and removing the html,body,head tags from the Statement to just leave the content there but it doesn't seem to let me.

Any ideas?

TIA,

Vijay

Hi,
I am trying to do an update of a Custom Object with java and Apache HttpClient 4 and getting a 400 Bad request error. I tried both _HttpPatch and the method below.Thanks for any help.

TIA,

Vijay

I blanked out he pod below to xxxxx-

URI:https://xxxxxx-salesforce.com/services/data/v20.0/sobjects/DeviceIdentifyingInfo__c/a1AK00000004HFaMAM

 status return code is not OK:400:HTTP/1.1 400 Bad Request
 
 Code snippet below:
 
 String url = "https://" + instanceUrl
  + "/services/data/v20.0/sobjects/DeviceIdentifyingInfo__c/"
  + escapedId;
//     + escapedId + "?_HttpMethod=PATCH";
 HttpPost post = new HttpPost(url)
{
 @Override
 public String getMethod() {
  return "PATCH";
 }
};

post.addHeader("Authorization", "OAuth " + sessionId);
HttpParams params = post.getParams();
HttpConnectionParams.setSoTimeout(params, connectionTimeoutInt);

post.setParams(params);
org.json.JSONObject device = new org.json.JSONObject();

try {
 device.put("Id", escapedId);

 device.put("Token__c", escapedToken);
}

StringEntity se = new StringEntity(device.toString());

post.setEntity(se);

post.setHeader("Content-type", "application/json");

// httpclient.executeMethod(get);
HttpResponse httpResponse = httpclient.execute(post);

if (httpResponse.getStatusLine() != null
&& httpResponse.getStatusLine().getStatusCode() == HttpStatus.SC_OK) {

} else {
//error 400<====
}

I have been trying to use wsc to access Salesforce using a Customer Portal login. I don’t see a place to put in the orgId and portalId to be able to log into Salesforce as is provided by for example the Flex for Force code.

Connection.organizationId = Parameters.orgid;

Connection.portalId = Parameters.portalid;

Is there a way I can log into Salesforce for a Customer Portal user ?

I am able to log in fine for a normal Salesforce user but not for a Customer Portal user.

Is there a ConnectorConfig.set...  to set the org and portalid similar to what the Flex for force code does to login a Customer Portal user ?

I am also using the Enteprise wsdl.

TIA,

Vijay

Hi,

I created a custom Object and Exposed it via  a Web service. I would like to access the data from a client using jQuery. Is it possible to access it anonymously without having to log into Salesforce ?

TIA,

V