Another Salesforce blog!!!

Salesforce, Apex

Avoiding SOQL Injection


Vulnerable to SOQL Injection

[codesyntax lang="php"]

// Query string
SELECT name FROM Account WHERE ( Name like '%Acme%');

//User Supply
test%') OR (Name LIKE '

//string becomes
SELECT name FROM Account WHERE Name LIKE '%test%') OR (Name LIKE '%')

//SOQL Injection protected
String query = '%' + name + '%';
queryResult = [SELECT Name FROM Contact WHERE (IsDeleted = false and Name like :query)];


[/codesyntax]

 

Leave a Reply

Your email address will not be published. Required fields are marked *

*