You need to sign in to do that
Don't have an account?
soorya r
soql injection in dynamic soql query
Hi All,
I have submitted code for security scanning but i got "SOQL injection issue". Please any one help me to resolve this.
Thanks in advance!
I have submitted code for security scanning but i got "SOQL injection issue". Please any one help me to resolve this.
@RemoteAction public static string addrecordtothirdparty(string partId, string AuthToken, string instantURL, string recordIds, string IdAndTag, string MappingJSON) { WrapperClass.Details detailsWrapper = new WrapperClass.Details(); try { map<Id,map<string,string>> recordLstFnl = new map<Id,map<string,string>>(); list<Contact> conRecLst = new list<Contact>(); list<string> recIdsLst = new list<string>(); map < String, Schema.SObjectField > contactFields = Schema.SObjectType.Contact.fields.getMap(); map < String, Schema.SObjectField > accountFields = Schema.SObjectType.Account.fields.getMap(); list<Account> acntLst = new list<Account>(); map<string,Account> acntMap = new map<string,Account>(); map <String, Object> fieldMapping = (map <String, Object>) JSON.deserializeUntyped(MappingJSON); list<string> strLst = new list<string>(); list<string> acntstrLst = new list<string>(); list<string> IdAndTagLst = IdAndTag.split(','); string tag = IdAndTagLst[0]; string Id = IdAndTagLst[1]; recIdsLst = recordIds.split(','); for( Object str : fieldMapping.values() ) { if( str != 'record_type') { strLst.add(string.valueof(str)); } } string fieldLst = string.join(strLst,','); string Query = 'select '+fieldLst+' from Contact where Id =: recIdsLst '; conRecLst = Database.query(Query);It is urgent!!!
Thanks in advance!
In your case, I suspect they want you to escape the single quotes.
Below is my attempt to fix that.