FAQ-001589 - SQL Injection and Input Validation / Dynamic SOQL Query Construction

Current Status:VALID_RESPONSEErrorUnable to AnswerSuggests Case

← Back to List View Prompt Template

Current FAQ

Question
How can I safely build dynamic SOQL queries when object and field names are determined at runtime?
Answer
To safely build dynamic SOQL queries when object and field names are determined at runtime in Salesforce, follow these comprehensive practices: 1. **Validate Object and Field Names**: Use `Schema.getGlobalDescribe()` to retrieve a map of all objects in the schema. Verify the object exists and is accessible using `getDescribe().isAccessible()`. For fields, use the `fields.getMap()` method on the object's describe result and validate field accessibility with `getDescribe().isAccessible()`. 2. **Use Bind Variables**: Include user-supplied input in the WHERE clause using bind variables to ensure it is safely handled and cannot alter the query structure. 3. **Sanitize Input**: If bind variables are not an option, sanitize input using `String.escapeSingleQuotes()` to escape single quotes. Combine this with other validation methods for comprehensive protection. 4. **Perform CRUD/FLS Checks**: Ensure the user has the necessary permissions to access the object and fields by performing CRUD (Create, Read, Update, Delete) and FLS (Field-Level Security) checks. 5. **Avoid User-Generated Queries in Apex**: Do not execute user-generated queries directly in Apex, as they bypass user permissions. Use the REST or SOAP API for safer execution if dynamic queries are necessary. 6. **Restrict Query Components**: Limit user-supplied input to object names, field names, and WHERE clause inputs. Avoid allowing users to supply other parts of the query. 7. **Use Secure APIs**: For more complex queries, consider using the REST or SOAP API to ensure safe execution. These steps will help you securely construct dynamic SOQL queries while mitigating risks and preventing information disclosure vulnerabilities.

Enhancing FAQ with AI recommendations...

AI Recommended Enhancement

Related Security Rules (click to view)
ApexSOQLInjectionApexCRUDViolation
Question
How can I safely build dynamic SOQL queries when object and field names are determined at runtime?
Recommended Answer Update
To safely build dynamic SOQL queries when object and field names are determined at runtime in Salesforce, follow these comprehensive practices: 1. **Validate Object and Field Names**: Use `Schema.getGlobalDescribe()` to retrieve a map of all objects in the schema. Verify the object exists and is accessible using `getDescribe().isAccessible()`. For fields, use the `fields.getMap()` method on the object's describe result and validate field accessibility with `getDescribe().isAccessible()`. 2. **Use Bind Variables**: Include user-supplied input in the WHERE clause using bind variables to ensure it's safely handled and can't alter the query structure. 3. **Sanitize Input**: If bind variables aren't an option, sanitize input using `String.escapeSingleQuotes()` to escape single quotes. Combine this with other validation methods for comprehensive protection. 4. **Perform CRUD/FLS Checks**: Ensure the user has the necessary permissions to access the object and fields by performing CRUD (Create, Read, Update, Delete) and FLS (Field-Level Security) checks. 5. **Avoid User-Generated Queries in Apex**: Don't execute user-generated queries directly in Apex, as they bypass user permissions. Use the REST or SOAP API for safer execution if dynamic queries are necessary. 6. **Restrict Query Components**: Limit user-supplied input to object names, field names, and WHERE clause inputs. Avoid allowing users to supply other parts of the query. 7. **Use Secure APIs**: For more complex queries, consider using the REST or SOAP API to ensure safe execution. These steps will help you securely construct dynamic SOQL queries while mitigating risks and preventing information disclosure vulnerabilities.
Reasoning
The content and technical advice are accurate and current. I made minor wording improvements for better clarity and conversational tone: changed 'cannot' to 'can't' and 'are not' to 'aren't' to follow the brand guidelines for contractions, changed 'Do not' to 'Don't' for consistency, and improved flow by saying 'safely handled and can't alter' instead of 'safely handled and cannot alter.' These changes make the FAQ more conversational while preserving all the technical content. ApexSOQLInjection rule: This rule directly applies because the FAQ is entirely focused on preventing SOQL injection vulnerabilities when building dynamic queries. The FAQ content about using bind variables, sanitizing input with String.escapeSingleQuotes(), validating object and field names, and restricting user input components directly addresses SOQL injection prevention techniques that this rule would flag. ApexCRUDViolation rule: This rule applies because point #4 of the FAQ specifically discusses 'Perform CRUD/FLS Checks' and ensuring users have necessary permissions to access objects and fields. The FAQ content about performing CRUD (Create, Read, Update, Delete) and FLS (Field-Level Security) checks directly relates to what this rule validates.
Reasoning References
Recommended Related Articles