ISVforce Guide

ISVforce Guide: Build and Distribute AppExchange Solutions
Get Ready to Distribute on AppExchange
Use Managed Packages to Develop Your AppExchange Solution
Design Your AppExchange Solution
Security Requirements for AppExchange Partners and Solutions
Security Policy Requirements
Prevent Secure Coding Violations
Load JavaScript Files from Third-Party Endpoints
Load Third-Party CSS in Lightning Components
Use CSS Outside Components
Running JavaScript in the Salesforce Domain
Expose Secret Data When Debugging
Store Sensitive Data Insecurely
Using Software That Has Known Vulnerabilities
Use Sample Code in Production
Bypass Object-Level and Field-Level Access Settings
Bypass Sharing Rules in Apex
SOQL Injection Due to Insecure Database Query Construction
Cross-Site Request Forgery
Open Redirects
Lightning LockerService Disabled
Insufficient Escaping in Lightning Components
Asynchronous Code in Components
Secure Communication
Secure Your B2C Commerce Solution
Secure Your Tableau Accelerator
Architectural Considerations for Group and Professional Editions
Manage Orgs with Environment Hub
Pass the AppExchange Security Review
Publish Your Solution on AppExchange
Sell on AppExchange with Checkout
Monitor Performance with Analytics for AppExchange Partners
Report Orders to Salesforce with the Channel Order App
Provide Free Trials of Your AppExchange Solution
OEM User License Guide
PDF

Newer Version Available

This content describes an older version of this product. View Latest

SOQL Injection Due to Insecure Database Query Construction

To prevent Salesforce Object Query Language (SOQL) injection, use bind variables and input sanitation.

SOQL injection is a vulnerability in which a user directly controls portions of a SOQL database query. SOQL queries executed in Apex don’t respect user permissions. Therefore, SOQL injections can be used to elevate users’ privileges and allow them to access to data beyond their user permissions.

The two types of SOQL injection vulnerabilities require different protection approaches.

In the first type, the user supplies an incorrect table or field name to query against. When user data identifies a field or table name, you must verify that the user has permission to access the named table or field. Keep in mind that this type isn’t a quoted context.

In the second type, the user supplies a portion of a quoted WHERE clause. When user data is inserted into a quoted string context, the data can break out of the quoted context. The preferred protection approach is to use bind variables. Alternatively, you can use EscapeSingleQuotes(). Both of these approaches prevent the user data from breaking out of the quoted context.

Never allow users to supply portions of SOQL queries other than field names, table names, and WHERE clause inputs.

Avoid executing user-generated queries in Apex, where they run in system mode. If you must generate more complex client-side SOQL, use the REST or SOAP API, which make SOQL calls safely.

To learn more about SOQL injection and how to prevent it in your code, check out the Secure Server-Side Development module on Trailhead.

SOQL Example

This SOQL statement is insecure because it’s built by concatenating a string with embedded user input. No input sanitization occurs before the database.query statement executes.
If you must use dynamic SOQL, use the EscapeSingleQuotes() method to sanitize user-supplied input. This method adds the escape character (\) to all single quotation marks in the user-supplied string. Adding the escape character ensures that all single quotation marks are treated as enclosing strings instead of as database commands.