SOQL Injections in Salesforce are a type of security attack. Below, we discuss how SOQL Injections happen and how to prevent them.
What is SOQL Injection in Salesforce?
SOQL Injection occurs when the input for a query comes from the user’s end and the user inputs a malicious query in the query parameter to bypass the original query restrictions.
For Example:
- String userInput = ‘\test\’ or Name != null’;
- String userInput = ‘WGC’;
- String query = ‘Select Id From Account Where Name =’ + userInput +;
There are two ways in which the query can be executed using line 1 from the example or using line 2. User sending line 2 from the UI isn’t any problem for the System because then the query looks like this.
Resultant Query -> ‘Select Id From Account Where Name = ‘WGC’;
This would show the accurate result. But the problem comes when the user puts line 2 in the UI input. Then the query would look like this.
Resultant Query -> ‘Select Id From Account Where Name = ‘test’ or Name != null;
Now, the above query would return all the accounts to the user whether he has access to it or not.
This occurs when we’re using Dynamic queries.
Prevent SOQL Injection in Salesforce
To prevent SOQL Injections in Salesforce, you can use the String class method:
String.escapeSingleQuotes(query);
OR
You can use Static queries instead.
Conclusion
When creating front-end applications that involve taking input from the user that is going to be fed to a query, always use the prevention methods mentioned above.
Interested in more Salesforce Developer posts? Then click the “Salesforce Developer” tag below!
Additional Resources
- Salesforce Apex Developer Guide: SOQL Injection
Cover Photo by Luca Bravo on Unsplash
