SOQL Injection in Salesforce?Suppose you have a search form and instead of typing a valid search parameter, User types something invalid text and that can make your SOQL query invalid and expose the unexpected result.
This situation occurs when user input is not filtered for escape characters. let's have a pictorial look :
It's a SQL example , but describe the SOQL injection as well in a good manner.
So here you can see that. In the User id field once user puts a invalid parameter and goes to the controller and form a query that results in a invalid login.
The worst scenario could be if resultant data from a query supposed to be deleted.
let's have one more quick example for this :
I have a case where I want to delete the Account based on name entered in the input name field on page.
Implementation can be like this :
List<Account> listAccount = Database.query('Select id from Account where Name = \'' + nameField + '\' ');
It works great with a valid value.
Now it can be worst if value of nameField is provided like :
nameField = \' OR Id != null OR Type != \'
So once the action will be performed, this will be bind-up with the query and resultant query will be like this :
List<Account> listAccount = Database.query('Select id from Account where Name = \'\'\' OR ID != null OR Type != \'\' ');
So hopefully , you can see the monster here. It will delete the entire database for account records.
Salesforce provides escape functions to get rid from SOQL injection.
Solution can be one of the followings:
- Try to use STATIC queries as much as possible. STATIC query has inbuilt escaping.
- If dynamic query is needed , then all the search parameters should use escapeSingleQuotes() function.like
List<Account> listAccount = Database.query('Select id from Account where Name = \'' + String.escapeSingleQuotes(nameField) + '\' ');