FAQ-001609 - SQL Injection and Input Validation / Input Sanitization and Escaping

To resolve SOQL injection vulnerabilities beyond using `String.escapeSingleQuotes`, follow these practices: 1. **Use Bind Variables**: Incorporate user-supplied input securely into SOQL queries by using bind variables. 2. **Whitelist Validation**: Validate user input against a whitelist of acceptable values, especially for object and field names. Use methods like `Schema.getGlobalDescribe()` to verify the validity and permissions of the input. 3. **Restrict User Input**: Avoid allowing users to supply portions of SOQL queries directly. 4. **Sanitize Parameters**: Ensure all public methods containing database operations sanitize their parameters. 5. **Use Database Methods with USER_MODE**: For secure database operations, use `Database.query()`, `Database.insert()`, `Database.update()`, and `Database.delete()` methods with `AccessLevel.USER_MODE` to automatically enforce security permissions. These steps provide robust protection against SOQL injection vulnerabilities.

The FAQ content is accurate and well-structured, covering essential SOQL injection prevention techniques beyond basic escaping. However, one recommendation needed updating to align with modern security approaches. The original point 5 suggested using REST or SOAP APIs for complex queries, which is not the most appropriate or efficient approach for SOQL injection prevention. This has been replaced with guidance on using Database methods with USER_MODE, which is more relevant, secure, and aligned with current Salesforce best practices for preventing SOQL injection while enforcing proper security permissions. The ApexSOQLInjection rule directly relates to this FAQ as it detects SOQL injection vulnerabilities in Apex code, which is exactly what this FAQ teaches developers to prevent through secure coding practices like bind variables, input validation, and proper sanitization.