• big bang
  • NEWBIE
  • 0 Points
  • Member since 2013

  • Chatter
    Feed
  • 0
    Best Answers
  • 0
    Likes Received
  • 0
    Likes Given
  • 2
    Questions
  • 1
    Replies
Hi...
I have a custom object, in which there are two kind of infomation, Customers and Cars.
User A creates a record and input the Customer's info, user B modify it then input the Car's info, user B cannot see what user A inputted.(this can be done by set the Field Level Access)

But, how about the attachment?
User A would upload some files into Attachment relative to the Customer, this is secret to user B, vice versa B may upload some photos about the car which A should not see it.

How to deal with this case? Any ideas?

Thank you.

Dears,

 

I have a search page with several conditions, I pass the conditions to controller and make my search soql like this:

String soql = 'select Id , Name from Account where';
if (a != null) {
    soql += ' and xxx__c = \'' + a '\''
}
if (b != null) {
    soql += ' and yyy__c = \'' + b '\''
}
......
List<Account> accList = Database.query(soql);

It seems like cannot pass the security scan because this is a soql injection.(Well, I just heard about that, I don't know whether this really cannot pass the scan...)

 

I read the wiki and other documents, they just say you should use static soql to put the parameters, like this:

PreparedStatement query = "select * from users where userid = :user and password = :password";
query.bindInt("user", Request.form("user").intValue());
query.bindString("password", getSaltedHash(Request.form("password")));
Database.executePreparedStatement(query);

But in my situation, I need to make the where clause dynamicly.

Is there some solutions to deal with it?

Waiting for your answers.

Thank you.

Dears,

 

I have a search page with several conditions, I pass the conditions to controller and make my search soql like this:

String soql = 'select Id , Name from Account where';
if (a != null) {
    soql += ' and xxx__c = \'' + a '\''
}
if (b != null) {
    soql += ' and yyy__c = \'' + b '\''
}
......
List<Account> accList = Database.query(soql);

It seems like cannot pass the security scan because this is a soql injection.(Well, I just heard about that, I don't know whether this really cannot pass the scan...)

 

I read the wiki and other documents, they just say you should use static soql to put the parameters, like this:

PreparedStatement query = "select * from users where userid = :user and password = :password";
query.bindInt("user", Request.form("user").intValue());
query.bindString("password", getSaltedHash(Request.form("password")));
Database.executePreparedStatement(query);

But in my situation, I need to make the where clause dynamicly.

Is there some solutions to deal with it?

Waiting for your answers.

Thank you.