function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
PspkPspk 

salesforce Trailhead SOQL injection Challenge

Hi , I am also facing some problem with salesforce Trailhead SOQL injection Challenge, I tried many ways but still i am getting error .
can you suggest me where i am going wrong ?
​Thank you 

SOQL_Injection_Challenge:

public class SOQL_Injection_Challenge {
    public string textual {get; set;}
    public List<Supply__c> whereclause_records {get; set;}
//SELECT Id,Name,Quantity__c,Storage_Location__c,Type__c FROM Supply__c
    public PageReference whereclause_search(){
        string query = 'SELECT Id,Name,Quantity__c,Storage_Location__c,Storage_Location__r.Castle__c,Type__c FROM Supply__c';
        string whereClause = '';
        if(textual != null && textual!=''){
                whereClause += 'name like  \'%'+textual+'%\' ';
        }
        if(whereClause != ''){
            whereclause_records = database.query(query+' where '+whereClause+' Limit 10');
            validate(whereClause,whereclause_records.size());
        }
        return null;
    }
    public void validate(string s, integer i){
      if(s.contains('\'%') && s.containsIgnoreCase('Nobles_Only__c') && s.contains('%\'') && i<10){
        cvcs__c  v = cvcs__c.getInstance('sic1');
        if(v==null){
          v = new  cvcs__c(name='sic1',c1__c = 1);
        } else {
            v.c1__c += 1;
        }
        upsert v;
      }
    } 

}
Best Answer chosen by Pspk
Nayana KNayana K
whereClause += 'name like  \'%'+textual+'%\' ';

I think this has to be changed like this : 
whereClause += 'name like  \'%'+textual.escapeSingleQuotes()+'%\' ';

 

All Answers

Nayana KNayana K
whereClause += 'name like  \'%'+textual+'%\' ';

I think this has to be changed like this : 
whereClause += 'name like  \'%'+textual.escapeSingleQuotes()+'%\' ';

 
This was selected as the best answer
PspkPspk
Hi Nayana,
I am still getting this error when i tried your answer.
"Error: Compile Error: Method does not exist or incorrect signature: void escapeSingleQuotes() from the type String at line 14 column 57"
Nayana KNayana K
whereClause += 'name like  \'%'+String..escapeSingleQuotes(textual)+'%\' ';
My bad.
PspkPspk
thanks for immediate reply Nayana ,
but still the challegene is throwing the error :( 

Challenge Not yet complete... here's what's wrong: 
It doesn't appear that you've successfully performed a SOQL injection using the Visualforce page. Take a look at the hint above and please try again.
 
Nayana KNayana K
public class Prevent_SOQL_Injection_Challenge {

    public string textOne {get; set;}
    public string textTwo {get; set;}
    public string comparator {get; set;}
    public Integer numberOne {get; set;}

    public List<Supply__c> whereclause_records {get; set;}


    public PageReference stringSearchOne(){
        string query = 'SELECT Id,Name,Quantity__c,Storage_Location__c,Storage_Location__r.Castle__c,Type__c FROM Supply__c';
        string whereClause = '';

        if(textOne != null && textOne!=''){
                whereClause += 'name like  \'%'+String.escapeSingleQuotes(textOne)+'%\' ';
        }

        if(whereClause != ''){
            whereclause_records = database.query(query+' where '+whereClause+' Limit 10');
        }

        return null;
    }


    public PageReference stringSearchTwo(){
        string query = 'SELECT Id,Name,Quantity__c,Storage_Location__c,Storage_Location__r.Castle__c,Type__c FROM Supply__c';
        string whereClause = '';

        if(textTwo != null && textTwo!=''){
                whereClause += 'Storage_Location__r.name like  \'%'+string.escapeSingleQuotes(textTwo)+'%\' ';
        }

        if(whereClause != ''){
            whereclause_records = database.query(query+' where '+whereClause+' Limit 10');
        }

        return null;
    }


    public PageReference numberSearchOne(){
        string query = 'SELECT Id,Name,Quantity__c,Storage_Location__c,Storage_Location__r.Castle__c,Type__c FROM Supply__c';
        string whereClause = '';

        if(numberOne != null && comparator != null && (comparator == '<' || comparator == '>' || comparator == '=')){
            whereClause += 'Quantity__c '+comparator+' '+String.valueOf(numberOne)+' ';
        }

        if(whereClause != ''){
            whereclause_records = database.query(query+' where '+whereClause+' Limit 10');
        }

        return null;
    }

}

You are looking into the wrong class. It is "Prevent_SOQL_Injection_Challenge" not "SOQL_Injection_Challenge".
PspkPspk
Thanks for the reply Nayana ,
Actually i am looking at SOQL injection challenge only , but i am mistaken that code needs to be changed in that challenge which is wrong , i needed to perform the search query for injecting it and retierve one record . 

Thank you once again :)
Nayana KNayana K
Most Welcome. Please mark this post as solved.
Swapnil Barad 34Swapnil Barad 34
Use this search text to pass this challenge...
User-added image
Varun Arora 10Varun Arora 10
Use the below SearchText to pass through as the below will result in Search of only 1 record for Supply__c where Nobles_Only__c=True for the 'Vension' Supply:
%'  and Nobles_only__c=True and name like '%Ven
Reshma KuchipudiReshma Kuchipudi
hi,
Iam getting this error
It doesn't appear that you've successfully performed a SOQL injection using the Visualforce page. Take a look at the hint above and please try again.
Akash Pandey 25Akash Pandey 25
Hi Reshma,
You can pass this by entering the following search expression - 

%' and Nobles_Only__c = True and name like '%

Since you dont know the supply name hence [name like '%Ven] is not a correct add to the expression @Varun Arora