How to overcome SOQL Injection Vulnerability in salesforce?

Hi vikas,

Suppose you have a search form and instead of typing a valid search parameter, User types something invalid text and that can make your SOQL query invalid and expose the unexpected result.

The worst scenario could be if resultant data from a query supposed to be deleted.
let’s have one more quick example for this :

I have a case where I want to delete the Account based on name entered in the input name field on page.
Implementation can be like this :

List<Account> listAccount = Database.query(‘Select id from Account where Name = \” + nameField + ‘\’ ‘);

delete listAccount;

It works great with a valid value.
Now it can be worst if value of nameField is provided like :

nameField = \’ OR Id != null OR Type != \’
So once the action will be performed, this will be bind-up with the query and resultant query will be like this :

List<Account> listAccount = Database.query(‘Select id from Account where Name = \’\’\’ OR ID != null OR Type != \’\’ ‘);

delete listAccount;

So hopefully , you can see the monster here. It will delete the entire database for account records.

Salesforce provides escape functions to get rid from SOQL injection.
Solution can be one of the followings:
Try to use STATIC queries as much as possible. STATIC query has inbuilt escaping.
If dynamic query is needed , then all the search parameters should use escapeSingleQuotes() function.like
List<Account> listAccount = Database.query(‘Select id from Account where Name = \” + String.escapeSingleQuotes(nameField) + ‘\’ ‘);
String.escapeSingleQuotes method adds the escape character (\) to all single quotation marks in a string that is passed in from a user. The method ensures that all single quotation marks are treated as enclosing strings, instead of database commands.

Thanks.