The previous problem is known as SQL injection in other programming languages. Apex does not use SQL, instead employing SOQL, its own database query language. SOQL is significantly easier to use and has less features than SQL. As a result, the risks of SOQL injection are substantially smaller than those of SQL injection, yet the assaults are essentially comparable to those of regular SQL injection.
In summary, SQL/SOQL injection is the process of using user-supplied data in a dynamic SOQL query. If the input is not validated, it may contain SOQL commands that modify the SOQL statement and cause the application to execute undesired commands.
Apex’s SOQL Injection Vulnerability
A basic sample of Apex and Visualforce code that is vulnerable to SOQL injection is shown below.
<apex:page controller="AccountSearchController" >
<apex:form>
<apex:outputText value="Enter Account Name" />
<apex:inputText value="{!name}" />
<apex:commandButton value="query" action="{!getAccounts}“ />
</apex:form>
</apex:page>
public class AccountSearchController {
public String name {
get { return name;}
set { name = value;}
}
public PageReference getAccounts() {
String query = 'SELECT Id FROM Account WHERE Name like \'%' + name + '%\'';
List<Account> accList= Database.query(query);
System.debug('account result is ' + accList);
return null;
}
}This is a pretty basic example, but it demonstrates the concept. The code is designed to find contacts that haven’t been deleted. Name is the only input value provided by the user. The value can be anything the user enters, and it is never checked. The Database.query method is used to run the SOQL query, which is constructed dynamically. The statement executes as expected if the user supplies a valid value:
// User supplied value: name = James
SELECT Id FROM Account WHERE Name like '%James%'What if, on the other hand, the user offers unexpected input, such as:
// User supplied value for name: test%' OR Name LIKE '
SELECT Id FROM Account WHERE Name LIKE '%test%' OR Name LIKE '%'
The results now show all account. A SOQL Injection issue can be used to change any vulnerable query’s intended logic.
Prevent SOQL Injection
public class AccountSearchController{
public String name {
get { return name;}
set { name = value;}
}
public PageReference getAccounts() {
String queryParam= '%' + name + '%';
List<Account> accountList = [SELECT Id FROM Account WHERE Name like :queryParam];
System.debug('account list is ' + accountList);
return null;
}
}Utilize the escapeSingleQuotes function to sanitise user-supplied information if you must use dynamic SOQL. This method replaces all single quotation marks in a string handed in by the user with the escape character (). All single quotation marks are regarded as enclosing strings instead of database commands, thanks to this approach.