function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion

SOQL Injection Vulnerability

I am working on an assignment where I need to fix a SOQL Injection issue in one of the SOQL in a batch apex. The query is below.
SELECT Id, Name from Contact where (TrustName__c != null OR Status__c != null OR Title != null OR City__c !- null or Street__c != null or State__c != null) AND Id in (SELECT Contact__c from PP__c)

However, I am not sure how this SOQL was flagged as a vulnerable query since it is not querying a specific field with a LIKE or something like that.

Can someone clarify? If this is a vulnerable query, how do I re-write the query?
ShirishaShirisha (Salesforce Developers) 
Hi Balaji,


I can see that you are trying to use the condition as below:

Id in (SELECT Contact__c from PP__c)

So,can you please confirm if the Contact__c is ID.If not,I would suggest you to query only the Ids as we are comparing the returned values with the ID type.

Kindly let me know if it helps you and close your query by marking it as solved so that it can help others in the future.

Warm Regards,
Shirisha Pathuri
Hi Shirisha,

Yes, Contact__c is the ID field. The custom object PP__c is a child to the Contact object with lookup relationship.

ShirishaShirisha (Salesforce Developers) 
In that case,the SOQL query looks fine for me.

But,we can still investigate to figure out which part of the query is causing the issue by removing the other crieterias as using the SOQL injection to see,if that works.

Thank you!
We use a third party company to evaluate the vulnerabilities in our code and they charge for the scan and it has to go through some approvals. So, we cannot ask for another scan without a strong justification and this is where I am also struggling. The query is not using any data input from a user or a form though it is flagged as a SOQL vulnerable query. In the worst case scenario, I am planning to change the query from Child-To-Parent to Parent-To-Child query and send it for a scan.
Is there a way to re-write the batch apex without the Database.getQueryLocator() method?