function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
JGKJGK 

SQL Injection

Hi all,

 

We received the following question from our developer:

 

When we query SalesForce we use a statement like the one beneath. However, we are afraid it can be abused to perform SQL Injection. The only alternative is not to use ‘where’ and to query the whole Salesforce database. Once we have all the data, we then can perform a search on our side on the data. However, this solution has performance issues. Can you please advise us how to use a SQL Injection free query?

 

var objResult = svc.query("select id, lastname, firstname, email, Email_opt_in__c from contact where Id = '003D0000013uxmpIAA'");

 

The salesforce support team could not really help with this question.  Anyone who has experience with this or might be able to help with this question?

 

Thank you in advance.

 

 

admintrmpadmintrmp

There is nothing wrong with using dynamic SOQL. You just have to cautious about how you place variables in there. If you are placing a string into your dynamic SOQL query, simply escape single quotes.

I don't know what language you are using there but the apex equivalent is:

String contactId = ApexPages.currentPage().getParameters().get('id');

sObject[] objResult = Database.query('select id, lastname, firstname, email, Email_opt_in__c from contact where Id = \''+String.escapeSingleQuotes(contactId)+'\'');

 

That is a safe query string.

Milan SanghaniMilan Sanghani

Hi, 

Here you will get exact an idea about  what is SOQL Injection?, and how to solve it?.

 

http://wikisf.blogspot.in/2012/08/preventing-soql-injection.html

 

Thanks,

Milan