Experience Cloud Developer Guide

Get Up to Speed with Experience Builder Sites
Develop Experience Builder Sites: The Basics
Brand Your Aura Site
Develop Secure Sites: Authenticated and Guest Users
Limit Declarative Access
Determine a Security Model
Limit Access to Apex Classes
Flow Security
SOQL Injection
Develop Secure Sites: CSP, LWS, and Lightning Locker
Analyze and Improve Experience Builder Site Performance
Add Pardot Tracking to Your Experience Builder Site
Use a CMS with Your Experience Builder Site
Report on Deflections: The Deflection Signals Framework
Deploy an Experience Cloud Site from Sandbox to Production
PDF

Newer Version Available

This content describes an older version of this product. View Latest

SOQL Injection

Sanitize user-controlled data passed into dynamic SOQL queries.
SOQL or SOSL injection occurs when Apex code inserts user-controlled data into dynamic SOQL or SOSL queries without properly sanitizing the input. There are two scenarios to consider:
  • Changing the overall structure of the query
  • Changing the value of a query parameter

Control these scenarios by invoking Apex code that prevents callers from accessing data they’re not entitled to.

Consider this code:

The user potentially gains control over the query and accesses more information than they’re entitled to.

The return value of the query doesn’t limit the information the user can access. The user can submit a string, such as :
The return value of the query names all the accounts with an annual revenue in excess of $100,000, which is not what the developer intended to return to the caller.
Fixing SOQL or SOSL injection requires the appropriate contextual encoding. Don’t apply String.escapeSingleQuotes to every user input. Rather, sanitize fields based on where they appear in the SOQL or SOSL query.
  • For variables in WHERE (SOQL), ORDER BY (SOQL), WITH (SOSL), or FIND (SOSL) clauses, use bound variables:
  • For field and table names, call isAccessible on the describeResult of the field. Or to enforce declarative policies, use your own procedural logic to limit the field or table names to what your security policy allows.
  • For parameters in quoted strings, use bind variables. Don’t use bind variables or String.escapeSingleQuote to sanitize table names and field names, or any parameters that don’t appear in a quoted context.
  • For other primitive types, cast the user input into a boolean, integer, Id, or other primitive (non-string) type.
Be aware that the WITH SECURITY_ENFORCED keyword doesn’t sanitize WHERE clauses, only SELECT and FROM clauses, so it isn’t a sanitizer for SOQL or SOSL injection attacks.