You need to sign in to do that
Don't have an account?
SOQL SOSL Injection: Dynamic SOQL can not pass security check marx any one can help me?
Hello,
I create a apex class, which contains some dynamic SOQLs. The function used for custom pagination and custom search functionality.
All of them works fine. But I tried the security check marx in my account and found dynamic SOQL caused security Issues.like SOQL Injection.
Error : Severity - Critical
public List<Branch__c> getRecords()
{
return (List<Branch__c>)database.query(FetchBranchRecordsQry+' LIMIT '+PaginationForBranch.queryLimit+' OFFSET' +PaginationForBranch.offset);
}
string FetchBranchRecordsQry='Select id, Name, CreatedBy.Name,Branch__c.CreatedDate,BranchName__c, BranchAdmin__r.Name, BranchEstDate__c, Active__c FROM Branch__c Order by Name DESC';
Any one can help me how to use dynamic SOQL.
Thanks,
Yarram
Instead of writting query string inside single quote , Use escapeSingleQuotes(String).
It will avoid the soql injection error.
http://www.salesforce.com/us/developer/docs/apexcode/Content/apex_System_String_escapeSingleQuotes.htm
Regards
Sagarika Rout
SFDC Developer
Hi,
Yes, I can confirm that it is vulnearable to SOQL injection. Please follow below URL to fix this:-
http://www.salesforce.com/us/developer/docs/apexcode/Content/pages_security_tips_soql_injection.htm
If you still have any question, let me know.
Happy to help you!
Hi Sagarica,
Thanks for reply,
yes, i did the changes in Database.query() and i followed the String.escapeSingleQuotes() also, but i am getting the same error
Error : Severity - Critical
public List<Branch__c> getRecords()
{
return (List<Branch__c>)database.query(FetchBranchRecordsQry+' LIMIT '+String.escapeSingleQuotes(String.ValueOf(PaginationForBranch.queryLimit))+' OFFSET' +String.escapeSingleQuotes(String.ValueOf(PaginationForBranch.offset)));
}
string FetchBranchRecordsQry='Select id, Name, CreatedBy.Name,Branch__c.CreatedDate,BranchName__c, BranchAdmin__r.Name, BranchEstDate__c, Active__c FROM Branch__c Order by Name DESC';
please help me. if you have any sample code for Database.query() using LIMIT and OFFSET keywords please share with me
Thanks,
Yarram.
Hi,
Thanks for reply,
yes, i did the changes in Database.query() and i followed the String.escapeSingleQuotes() also, but i am getting the same error again.
Error : Severity - Critical
public List<Branch__c> getRecords()
{
return (List<Branch__c>)database.query(FetchBranchRecordsQry+' LIMIT '+String.escapeSingleQuotes(String.ValueOf(PaginationForBranch.queryLimit))+' OFFSET' +String.escapeSingleQuotes(String.ValueOf(PaginationForBranch.offset)));
}
string FetchBranchRecordsQry='Select id, Name, CreatedBy.Name,Branch__c.CreatedDate,BranchName__c, BranchAdmin__r.Name, BranchEstDate__c, Active__c FROM Branch__c Order by Name DESC';
please help me. if you have any sample code for Database.query() using LIMIT and OFFSET keywords please share with me
Thanks,
Yarram.
Hi,
Could you please try below. I am assuming you are not using this queryString anywhere else.
Let me know if you have any specific question.
Happy to help you!
Hi,
No, i am using same query string 6 more places. for that only i am using the Database.query() (Dynamic SOQL). Is there any other way to solve this SOQL Injection Issue in Dynamic SOQL queries? please give me the suggestion for this.
public PaginationUtil PaginationForBranch{get;set;}string FetchBranchRecordsQry='Select id, Name, CreatedBy.Name,Branch__c.CreatedDate,BranchName__c, BranchAdmin__r.Name, BranchEstDate__c, Active__c FROM Branch__c Order by Name DESC';
string FetchBranchCaseRecordCount='select COUNT(id) cnt from Branch__c';
PaginationForBranch=new PaginationUtil(FetchBranchRecordsQry,FetchBranchCaseRecordCount);public List<Branch__c> getRecords()
{
return (List<Branch__c>)database.query(FetchBranchRecordsQry+' LIMIT '+PaginationForBranch.queryLimit+' OFFSET' +PaginationForBranch.offset);
}
Hi,
Could you please try below code snippet. We are using the same way and have cleared technical review as well.
Let me know if you have any problem.
Happy to help you!
HI,
As you mentioned i tried the same way and I submitted to checkmarx review, again review was failed because of the SOQL Injection error. How can we over come this problem, please help me. below is my changed code.
Hi,
Strange it is. We have code base in which we have same way of dynamic query and they passed it without any problem. Let me look at other possible way.
Hi, here is i am getting actual error code part which is on the check marx PDF Report document.
i want to ask one question to you , which review(Salesforce Security(Paid) Review or Ceckmarx(Free one) Review) you have passed dynamic query code? please let me know.
Hi,
We went for Checkmarx Review.
Ok, we also went for checkmarx review, why its giving to me dynamic soql query problems.
Thanks,
Yarram.
That's what puzzle me too!