Sunday, September 14, 2014

SOQL Injection in Salesforce?

SOQL Injection in Salesforce?

Suppose you have a search form and instead of typing a valid search parameter, User types something invalid text  and that can make your SOQL query invalid and expose the unexpected result.

This situation occurs when user input is not filtered for escape characters. let's have a pictorial look :






It's a SQL example , but describe the SOQL injection as well in a good manner.
So here you can see that. In the User id field once user puts a invalid parameter and goes to the controller and form a query that  results in a invalid login.

The worst scenario could be if resultant data from a query supposed to be deleted.
 let's have one more quick example for this :

I have a case where I want to delete the Account based on name entered in the input name field on page.
Implementation can be like this :

List<Account> listAccount = Database.query('Select id from Account where Name = \'' + nameField + '\' '); 

delete listAccount;


It works great with a valid value.
 Now it can be worst if value of nameField is provided like :

nameField = \' OR Id != null OR Type != \'


So once the action will be performed, this will be bind-up with the query and resultant query will be like this :
  

List<Account> listAccount = Database.query('Select id from Account where Name = \'\'\' OR ID != null OR Type != \'\' ');

delete  listAccount;


So hopefully , you can see the monster  here. It will delete the entire database for account records.

Salesforce provides escape functions to get rid from SOQL injection. 
Solution can be one of the followings:
  1. Try to use STATIC queries as much as possible. STATIC query has inbuilt escaping.
  2. If dynamic query is needed , then all the search parameters should use escapeSingleQuotes() function.like
    List<Account> listAccount = Database.query('Select id from Account where Name = \'' + String.escapeSingleQuotes(nameField) + '\' ');
String.escapeSingleQuotes method adds the escape character (\) to all single quotation marks in a string that is passed in from a user. The method ensures that all single quotation marks are treated as enclosing strings, instead of database commands.








0 comments:

Post a Comment

 
| ,