Activity Forums Salesforce® Discussions Prevention of SOQL Injection

  • chanchal kumar

    Member
    September 4, 2018 at 12:02 pm

    Hello Avnish,

    There are a number of techniques you can use to prevent SOQL injection:

    1. Static queries with bind variables
    2. String.escapeSingleQuotes()
    3. Type casting
    4. Replacing characters
    5. Whitelisting

    for elobraton you can check following link: https://trailhead.salesforce.com/en/modules/secdev_injection_vulnerabilities/units/secdev_inject_prevent_soql_injection

  • shariq

    Member
    September 17, 2018 at 8:48 pm

    Hi,

    To add more -

    In other programming languages, the previous flaw is known as SQL injection. Apex does not use SQL, but uses its own database query language, SOQL. SOQL is much simpler and more limited in functionality than SQL. Therefore, the risks are much lower for SOQL injection than for SQL injection, but the attacks are nearly identical to traditional SQL injection. In summary SQL/SOQL injection involves taking user-supplied input and using those values in a dynamic SOQL query. If the input is not validated, it can include SOQL commands that effectively modify the SOQL statement and trick the application into performing unintended commands.

    SOQL Injection Vulnerability in Apex
    Below is a simple example of Apex and Visualforce code vulnerable to SOQL injection.

    <apex:page controller="SOQLController" >
    <apex:form>
    <apex:outputText value="Enter Name" />
    <apex:inputText value="{!name}" />
    <apex:commandButton value="Query" action="{!query}“ />
    </apex:form>
    </apex:page>

    public class SOQLController {
    public String name {
    get { return name;}
    set { name = value;}
    }
    public PageReference query() {
    String qryString = 'SELECT Id FROM Contact WHERE ' +
    '(IsDeleted = false and Name like \'%' + name + '%\')';
    queryResult = Database.query(qryString);
    return null;
    }
    }

    Hope this helps.

  • Parul

    Member
    September 21, 2018 at 10:09 pm

    Hi

    The first and most recommended method to prevent SOQL injection is to use static queries with bind variables. Consider the following query.

    String query = ‘select id from contact where firstname =\’’+var+’\’’;
    queryResult = Database.execute(query);

    Copy
    As you’ve learned, using user input (the var variable) directly in a SOQL query opens the application up to SOQL injection. To mitigate the risk, translate the query into a static query like this one.

    queryResult = [select id from contact where firstname =:var];

    Copy
    This ensures that the user input is treated as a variable, not as an executable element of the query. If a user types a value like test’ LIMIT 1 when the database performs the query, it looks for any first names that are “test’ LIMIT 1” in the database. With a bind variable, the attacker isn’t able to break out and control the SOQL query.

    While using bind variables is recommended, there are some limitations. They can only be used in these types of clauses.

    The search string in FIND clauses.
    The filter literals in WHERE clauses.
    The value of the IN or NOT IN operator in WHERE clauses, enabling filtering on a dynamic set of values. Note that this is of particular use with a list of IDs or strings, though it works with lists of any type.
    The division names in WITH DIVISION clauses.
    The numeric value in LIMIT clauses.
    The numeric value in OFFSET clauses.

     

    Thanks

Log In to reply.

Popular Salesforce Blogs

Popular Salesforce Videos

Report

Harassment or bullying behavior
Harassment or bullying behavior
Contains mature or sensitive content
Contains misleading or false information
Mobile App Reported Contents
Contains abusive or derogatory content
Contains spam, fake content or potential malware

Block Member?

Please confirm you want to block this member.

You will no longer be able to:

  • See blocked member's posts
  • Mention this member in posts
  • Invite this member to groups
  • Message this member
  • Add this member as a connection

Please note: This action will also remove this member from your connections and send a report to the site admin. Please allow a few minutes for this process to complete.

Report

You have already reported this .