How to protect against SOQL injection vulnerabilities?

HomeInfallibleTechie Admin

How to protect against SOQL injection vulnerabilities?

InfallibleTechie Admin

Static Query and Bind Variables

The first and most recommended method to prevent SOQL injection is to use static queries with bind variables. Consider the following query.

Static Query:

SELECT Id 
FROM Contact 
WHERE Name LIKE: var
String query = 'select id from contact where firstname =\''+var+'\'';
queryResult = Database.execute(query);

Using user input (the var variable) directly in a SOQL query opens the application up to SOQL injection. To mitigate the risk, translate the query into a static query like this one.

queryResult = [
SELECT Id 
FROM Contact 
WHERE FirstName =:var];

Typecasting

Another strategy to prevent SOQL injection is to use typecasting. By casting all variables as strings, user input can drift outside of expectation. By typecasting variables as integers or Booleans, when applicable, erroneous user input is not permitted.

Escaping Single Quotes

Another XSS mitigation option that is commonly used by developers who include user-controlled strings in their queries is the platform-provided escape function String.escapeSingleQuotes().

If you must use dynamic SOQL, use the escapeSingleQuotes method to sanitize user-supplied input. This method adds the escape character (\) to all single quotation marks in a string that is passed in from a user. The method ensures that all single quotation marks are treated as enclosing strings, instead of database commands.

Whitelisting

Create a list of all “known good” values that the user is allowed to supply. If the user enters anything else, you reject the response.

Replacing Characters

A final approach for your tool belt is character replacement, also known as blacklisting. This approach removes “bad characters” from user input.

Check the below Example

SOQL:

'SELECT Id, AccountNumber, Name, Amount__c 
FROM Account 
WHERE IsActive = ' + var;

If someone enters “true AND AccountNumber = 100”, they will get all info about Account with Account Number “100”.

We can use the below code

var.replaceAll('[^\w]','');

This will remove all the whitespaces. So, that the query becomes invalid( SELECT Id, AccountNumber, Name, Amount__c FROM Account WHERE IsActive = trueANDAccountNumber=100 )

Leave a Reply