String.escapeSingleQuotes in Dynamic SOQL

Hello,

I am struck with the use of String.escapeSingleQuotes in Dynamic SOQL. I have one visualforce page which provides search page for user to search knowledge article records. There are 3 filters on page but only 1 field is a text file while others are picklists. I am using below query to get the list of article records.

qryString = 'SELECT Id, title, ArticleType, KnowledgeArticleId, UrlName FROM KnowledgeArticleVersion WHERE PublishStatus = \'online\' AND Language = \'en_US\' ';
qryString = qryString + 'AND ' + 'Title LIKE \' ' + String.escapeSingleQuotes(articleTitle) + '\' ';
articleList = Database.Query(qryString);

But m still getting SOQL SOSL injection issue while running security scan. Can someone please help me on this?

Thanks in Advance!!!!!

March 27, 2014
·
Answer
·
Like
0
·
Follow
1

Swati G
You can take String.escapeSingleQuotes value in some string variable and use that as a binding in dynamic query.

String title = String.escapeSingleQuotes(articleTitle);
qryString = 'SELECT Id, title, ArticleType, KnowledgeArticleId, UrlName FROM KnowledgeArticleVersion WHERE PublishStatus = \'online\' AND Language = \'en_US\' ';
qryString = qryString + 'AND ' + 'Title LIKE :title ';
articleList = Database.Query(qryString);

April 4, 2014
·
Like
0
·
Dislike
0

Ramu_SFDC
You can consider using JSENCODE method. Please review the below post & article for more information

https://developer.salesforce.com/forums/ForumsMain?id=906F00000008oE7IAI

http://www.salesforce.com/us/developer/docs/pages/Content/pages_variables_functions.htm

April 6, 2014
·
Like
0
·
Dislike
0

You need to sign in to do that.

Need an account? Sign Up

Have an account? Sign In

Dismiss

Browse by Topic

Welcome to Support!

Show

sorted by

String.escapeSingleQuotes in Dynamic SOQL

You need to sign in to do that.