FAQ-001588 - SQL Injection and Input Validation / Best Practices and Prevention Strategies

To prevent SOQL injection in dynamic query builders while maintaining flexibility, follow these practices: 1. **Use Bind Variables**: Safely include user-supplied input in your queries using bind variables to ensure the input remains within its quoted context. 2. **Sanitize Input**: Use `String.escapeSingleQuotes()` to sanitize user-supplied strings, escaping single quotes to prevent breaking out of the quoted context. 3. **Whitelist Validation**: Validate user-supplied object or field names against a predefined whitelist of acceptable values. Use `Schema.getGlobalDescribe()` to retrieve valid names for comparison. 4. **Perform CRUD/FLS Checks**: Enforce CRUD (Create, Read, Update, Delete) and FLS (Field-Level Security) checks to ensure users have the necessary permissions for the specified objects and fields. Consider using modern approaches like `WITH USER_MODE` in SOQL queries or `AccessLevel.USER_MODE` for Database methods, which automatically enforce security permissions. 5. **Avoid User-Generated Queries in Apex**: Don't execute user-generated queries directly in Apex, as they bypass user permissions. Use the REST or SOAP API for safer execution if dynamic queries are necessary. 6. **Restrict Query Components**: Limit user-supplied input to specific query components like object names, field names, and WHERE clause inputs. Avoid allowing users to supply other parts of the query. 7. **Combine Methods for Complex Inputs**: For more complex scenarios, combine input sanitization with other security measures to address all potential risks. These steps will help you build flexible yet secure dynamic queries in Salesforce.

The FAQ content is generally accurate and comprehensive. I made minor improvements for clarity and modernization: Changed 'Do not execute' to the more conversational 'Don't execute' in point 5, and enhanced point 4 to mention modern security enforcement approaches like `WITH USER_MODE` and `AccessLevel.USER_MODE` while preserving the existing CRUD/FLS guidance. This aligns with the security approaches guidelines to prioritize modern features while not invalidating legacy approaches. For security rule associations: - ApexSOQLInjection: This rule directly relates to the FAQ's core topic of preventing SOQL injection in dynamic queries. The FAQ's practices like using bind variables, sanitizing input with `String.escapeSingleQuotes()`, and restricting user-supplied query components all directly address SOQL injection vulnerabilities that this rule detects. - ApexCRUDViolation: This rule relates to point 4 of the FAQ answer which discusses enforcing CRUD and FLS checks. The FAQ specifically mentions ensuring users have necessary permissions for objects and fields, which is exactly what this rule helps identify when missing from code.