FAQ-001606 - SQL Injection and Input Validation / Input Sanitization and Escaping

When `String.escapeSingleQuotes()` doesn't satisfy scanners for resolving SOQL injection issues, follow these steps: 1. **Use Bind Variables**: Always prefer bind variables in your SOQL queries. They ensure user input is treated as data, not executable code. ```apex List<SObject> records = [SELECT Id, Name FROM Account WHERE Name = :userInput]; ``` 2. **Combine with Input Validation**: If bind variables can't be used, combine `String.escapeSingleQuotes()` with other input validation methods to sanitize the input. 3. **Whitelist Validation**: Validate user-supplied input against a whitelist of acceptable values. For example, use `Schema.getGlobalDescribe()` to verify object and field names. These practices provide robust protection against SOQL injection vulnerabilities and help satisfy security scanners.

The FAQ is well-structured and provides accurate information about SOQL injection prevention. I made one minor improvement by changing 'cannot be used' to 'can't be used' in point 2 to align with the conversational tone guidelines that recommend using contractions. This makes the text more natural and reader-friendly while maintaining all the technical accuracy and completeness of the original content. Regarding security rules: I selected ApexSOQLInjection because this FAQ directly addresses SOQL injection vulnerabilities and provides specific remediation techniques. The FAQ content explicitly discusses 'SOQL injection issues' in the question and provides multiple approaches to prevent SOQL injection attacks, including bind variables (the primary defense), input validation, and whitelist validation. The ApexSOQLInjection rule is specifically designed to detect potential SOQL injection vulnerabilities in Apex code, making it directly applicable to the techniques and security concerns discussed in this FAQ.