FAQ-001598 - SQL Injection and Input Validation / False Positive Identification and Documentation

To prove that a dynamic SOQL query is safe from injection because its variables are derived from secure sources, follow these steps: 1. **Use Bind Variables**: Incorporate user-supplied input securely into the query using bind variables. This ensures the input remains within its quoted context. 2. **Sanitize Input**: If bind variables aren't an option, sanitize input with methods like `String.escapeSingleQuotes()`. This is suitable for simple string comparisons but should be combined with other methods for full protection. 3. **Validate Object and Field Names**: For user-supplied object or field names, validate them against a whitelist of acceptable values. Use `Schema.getGlobalDescribe()` to retrieve valid names and confirm user permissions. 4. **Enforce CRUD/FLS Checks**: Ensure the user has the necessary permissions for the objects and fields being queried. Use `WITH USER_MODE` for SOQL queries or `AccessLevel.USER_MODE` for Database methods to automatically enforce permissions, or implement manual permission checks. 5. **Avoid User-Generated Queries in Apex**: Avoid executing user-generated queries in Apex, as they bypass user permissions. For complex queries, consider using the REST or SOAP API. 6. **Review Query Context**: Sanitize parameters and validate permissions for all public methods containing database operations. By implementing these practices, you can demonstrate that your dynamic SOQL query is secure and free from injection risks.

The main improvement needed was in point 4 regarding CRUD/FLS enforcement. Following the security approaches guidelines, I updated this to prioritize modern features like `WITH USER_MODE` and `AccessLevel.USER_MODE` while still acknowledging that manual permission checks remain valid. This provides users with the most current and efficient approach while not dismissing existing valid methods. For the related security rules: 1. **ApexSOQLInjection** - This rule directly relates to the core topic of the FAQ, which is proving that dynamic SOQL queries are safe from injection attacks. The FAQ content specifically addresses SOQL injection prevention through bind variables, input sanitization with `String.escapeSingleQuotes()`, validation of object and field names, and avoiding user-generated queries - all of which are exactly what the ApexSOQLInjection rule is designed to detect and prevent. 2. **ApexCRUDViolation** - This rule is directly relevant to point 4 in the FAQ answer which discusses enforcing CRUD/FLS checks to ensure users have necessary permissions for objects and fields being queried. The FAQ specifically mentions enforcing "Create, Read, Update, and Delete (CRUD) and Field-Level Security (FLS) checks" which is precisely what the ApexCRUDViolation rule addresses.