SOQL Injection :
Risk :
Always risk malicious users can send different values or commands to fetch their
expected data & Crash the data /Update the data.
Preventing Steps:
1.Salesforce platform level already taken care and provided
only SOQL queries, no update / delete. This reduces the risk to some extent
compare to other query platforms.
2. But still with SOQL queries also has the risk, So it is
very much important to validate the provided input to avoid SOQL
Injection Vulnerability.
· Always best practice to write static queries with bind variables
· If needed to use the dynamic queries based on the requirement then must
use the “String.escapeSingleQuotes” to the passing values
Ex:
Different Scenario, what could be the fix to avoid the SOQL
Injection Vulnerability?
Whitelisting to fix this :
|
//In case fetching the field names & object names from other
source metadata /label/etc
String Field1;
String Field2;
String objName;
String accId = ‘xxxxxxxx’; // Account Id to pass
String strQuery;
if(Field1!=NULL && Field2!=NULL && objName!=NULL )
{
strQuery =
'SELECT ' + Field1+','+ Field2+' ' + '
FROM '+ objName +
‘ WHERE Id
= \''+ String.escapeSingleQuotes(accId) + '\'' +' AND '+' '+ Field2+' '+'!=0'
;
}
|
Fix :
|
//Compare with the exact names instead of !=NULL
if(Field1 == ‘Name’ && Field2 == ‘AccountNumber’ && objName == ‘Account’ )
{
strQuery =
'SELECT ' + Field1+','+ Field2+' ' + '
FROM '+ objName +
‘ WHERE Id
= \''+ String.escapeSingleQuotes(accId) + '\'' +' AND '+' '+ Field2+' '+'!=0'
;
}
|
