Apex Code Development You need to sign in to do that
Don't have an account?
Pspk Trailhead SOQL Injection Challenge
Hi , I am also facing some problem with salesforce Trailhead SOQL injection Challenge, I tried many ways but still i am getting error .
can you suggest me where i am going wrong ?
Thank you
Simulate a SOQL Injection Attack
For this challenge, perform a SOQL injection on the search box to see information that is unintentionally exposed. Navigate to the SOQL Injection Challenge tab within the SOQL Injection application. You will see a search tool for the supply__c object. Use the search box to perform a SOQL injection which returns supplies meant for Nobles only. Hint: If you’ve done this successfully, your query should return one result containing Venison.
SOQL_Injection_Challenge:
public class SOQL_Injection_Challenge {
public string textual {get; set;}
public List<Supply__c> whereclause_records {get; set;}
//SELECT Id,Name,Quantity__c,Storage_Location__c,Type__c FROM Supply__c
public PageReference whereclause_search(){
string query = 'SELECT Id,Name,Quantity__c,Storage_Location__c,Storage_Location__r.Castle__c,Type__c FROM Supply__c';
string whereClause = '';
if(textual != null && textual!=''){
whereClause += 'name like \'%'+textual+'%\' ';
}
if(whereClause != ''){
whereclause_records = database.query(query+' where '+whereClause+' Limit 10');
validate(whereClause,whereclause_records.size());
}
return null;
}
public void validate(string s, integer i){
if(s.contains('\'%') && s.containsIgnoreCase('Nobles_Only__c') && s.contains('%\'') && i<10){
cvcs__c v = cvcs__c.getInstance('sic1');
if(v==null){
v = new cvcs__c(name='sic1',c1__c = 1);
} else {
v.c1__c += 1;
}
upsert v;
}
}
}
can you suggest me where i am going wrong ?
Thank you
Simulate a SOQL Injection Attack
For this challenge, perform a SOQL injection on the search box to see information that is unintentionally exposed. Navigate to the SOQL Injection Challenge tab within the SOQL Injection application. You will see a search tool for the supply__c object. Use the search box to perform a SOQL injection which returns supplies meant for Nobles only. Hint: If you’ve done this successfully, your query should return one result containing Venison.
SOQL_Injection_Challenge:
public class SOQL_Injection_Challenge {
public string textual {get; set;}
public List<Supply__c> whereclause_records {get; set;}
//SELECT Id,Name,Quantity__c,Storage_Location__c,Type__c FROM Supply__c
public PageReference whereclause_search(){
string query = 'SELECT Id,Name,Quantity__c,Storage_Location__c,Storage_Location__r.Castle__c,Type__c FROM Supply__c';
string whereClause = '';
if(textual != null && textual!=''){
whereClause += 'name like \'%'+textual+'%\' ';
}
if(whereClause != ''){
whereclause_records = database.query(query+' where '+whereClause+' Limit 10');
validate(whereClause,whereclause_records.size());
}
return null;
}
public void validate(string s, integer i){
if(s.contains('\'%') && s.containsIgnoreCase('Nobles_Only__c') && s.contains('%\'') && i<10){
cvcs__c v = cvcs__c.getInstance('sic1');
if(v==null){
v = new cvcs__c(name='sic1',c1__c = 1);
} else {
v.c1__c += 1;
}
upsert v;
}
}
}
May I request you please refer the below link for reference.
- https://salesforce.stackexchange.com/questions/144151/prevent-soql-injection-in-your-code
- https://salesforce.stackexchange.com/questions/65820/writing-soql-queries-trailhead-challenge-question
hope it will be helpful.Please mark it as best answer if the information is informative.so that question is removed from an unanswered question and appear as a proper solution.
Thanks
Rahul Kumar
Please try with below code which works fine for me.
public class Prevent_SOQL_Injection_Challenge { public string textOne {get; set;} public string textTwo {get; set;} public string comparator {get; set;} public Integer numberOne {get; set;} public List<Supply__c> whereclause_records {get; set;} public PageReference stringSearchOne(){ string query = 'SELECT Id,Name,Quantity__c,Storage_Location__c,Storage_Location__r.Castle__c,Type__c FROM Supply__c'; string whereClause = ''; if(textOne != null && textOne!=''){ whereClause += 'name like \'%'+String.escapeSingleQuotes(textOne)+'%\' '; } if(whereClause != ''){ whereclause_records = database.query(query+' where '+whereClause+' Limit 10'); } return null; } public PageReference stringSearchTwo(){ string query = 'SELECT Id,Name,Quantity__c,Storage_Location__c,Storage_Location__r.Castle__c,Type__c FROM Supply__c'; string whereClause = ''; if(textTwo != null && textTwo!=''){ whereClause += 'Storage_Location__r.name like \'%'+String.escapeSingleQuotes(textTwo)+'%\' '; } if(whereClause != ''){ whereclause_records = database.query(query+' where '+whereClause+' Limit 10'); } return null; } public PageReference numberSearchOne(){ string query = 'SELECT Id,Name,Quantity__c,Storage_Location__c,Storage_Location__r.Castle__c,Type__c FROM Supply__c'; string whereClause = ''; if(numberOne != null && (comparator == '=' || comparator == '>' || comparator == '<')){ || comparator == '>')){ whereClause += 'Quantity__c '+comparator+' '+String.valueOf(numberOne)+' '; } if(whereClause != ''){ whereclause_records = database.query(query+' where '+whereClause+' Limit 10'); } return null; } }Hope this will help you pass the challenge.Mark this as resolved if the information helps.
Thanks,
Nagendra
public class Prevent_SOQL_Injection_Challenge { public string textOne {get; set;} public string textTwo {get; set;} public string comparator {get; set;} public Integer numberOne {get; set;} public List<Supply__c> whereclause_records {get; set;} public PageReference stringSearchOne(){ string query = 'SELECT Id,Name,Quantity__c,Storage_Location__c,Storage_Location__r.Castle__c,Type__c FROM Supply__c'; string whereClause = ''; if(textOne != null && textOne!=''){ whereClause += 'name like \'%'+String.escapeSingleQuotes(textOne)+'%\' '; } if(whereClause != ''){ whereclause_records = database.query(query+' where '+whereClause+' Limit 10'); } return null; } public PageReference stringSearchTwo(){ string query = 'SELECT Id,Name,Quantity__c,Storage_Location__c,Storage_Location__r.Castle__c,Type__c FROM Supply__c'; string whereClause = ''; if(textTwo != null && textTwo!=''){ whereClause += 'Storage_Location__r.name like \'%'+String.escapeSingleQuotes(textTwo)+'%\' '; } if(whereClause != ''){ whereclause_records = database.query(query+' where '+whereClause+' Limit 10'); } return null; } public PageReference numberSearchOne(){ string query = 'SELECT Id,Name,Quantity__c,Storage_Location__c,Storage_Location__r.Castle__c,Type__c FROM Supply__c'; string whereClause = ''; if(numberOne != null && (comparator == '=' || comparator == '>' || comparator == '<')){ || comparator == '>')){ whereClause += 'Quantity__c '+comparator+' '+String.valueOf(numberOne)+' '; } if(whereClause != ''){ whereclause_records = database.query(query+' where '+whereClause+' Limit 10'); } return null; } }public class Prevent_SOQL_Injection_Challenge {
public string textOne {get; set;}
public string textTwo {get; set;}
public string comparator {get; set;}
public integer numberOne {get; set;}
public List<Supply__c> whereclause_records {get; set;}
public PageReference stringSearchOne(){
string query = 'SELECT Id,Name,Quantity__c,Storage_Location__c,Storage_Location__r.Castle__c,Type__c FROM Supply__c';
string whereClause = '';
if(textOne != null && textOne!=''){
whereClause += 'name like \'%'+string.escapeSingleQuotes(textOne)+'%\' ';
}
if(whereClause != ''){
whereclause_records = database.query(query+' where '+whereClause+' Limit 10');
}
return null;
}
public PageReference stringSearchTwo(){
string query = 'SELECT Id,Name,Quantity__c,Storage_Location__c,Storage_Location__r.Castle__c,Type__c FROM Supply__c';
string whereClause = '';
if(textTwo != null && textTwo!=''){
whereClause += 'Storage_Location__r.name like \'%'+string.escapeSingleQuotes(textTwo)+'%\' ';
}
if(whereClause != ''){
whereclause_records = database.query(query+' where '+whereClause+' Limit 10');
}
return null;
}
public PageReference numberSearchOne(){
string query = 'SELECT Id,Name,Quantity__c,Storage_Location__c,Storage_Location__r.Castle__c,Type__c FROM Supply__c';
string whereClause = '';
if(numberOne != null && comparator != null && (comparator == '<' || comparator == '>' || comparator == '=')){
whereClause += 'Quantity__c '+comparator+' '+string.valueOf(numberOne)+' ';
}
if(whereClause != ''){
whereclause_records = database.query(query+' where '+whereClause+' Limit 10');
}
return null;
}
}
if(textOne != null && textOne!=''){
whereClause += 'name like \'%'+string.escapeSingleQuotes(textOne)+'%\' ';
}
if(textTwo != null && textTwo!=''){
whereClause += 'Storage_Location__r.name like \'%'+string.escapeSingleQuotes(textTwo)+'%\' ';
}
using Typecasting –
First convert variable from string to Number
public Integer numberOne {get; set;}
Then use below string function on method,
if(numberOne != null && comparator != null && (comparator == '<' || comparator == '>' || comparator == '=')){
whereClause += 'Quantity__c '+comparator+' '+string.valueOf(numberOne)+' ';
}
This should help you!!!