You need to sign in to do that
Don't have an account?
SQL Injection
Hi all,
We received the following question from our developer:
When we query SalesForce we use a statement like the one beneath. However, we are afraid it can be abused to perform SQL Injection. The only alternative is not to use ‘where’ and to query the whole Salesforce database. Once we have all the data, we then can perform a search on our side on the data. However, this solution has performance issues. Can you please advise us how to use a SQL Injection free query?
var objResult = svc.query("select id, lastname, firstname, email, Email_opt_in__c from contact where Id = '003D0000013uxmpIAA'");
The salesforce support team could not really help with this question. Anyone who has experience with this or might be able to help with this question?
Thank you in advance.
There is nothing wrong with using dynamic SOQL. You just have to cautious about how you place variables in there. If you are placing a string into your dynamic SOQL query, simply escape single quotes.
I don't know what language you are using there but the apex equivalent is:
That is a safe query string.
Hi,
Here you will get exact an idea about what is SOQL Injection?, and how to solve it?.
http://wikisf.blogspot.in/2012/08/preventing-soql-injection.html
Thanks,
Milan