FAQ-001613 - SQL Injection and Input Validation / Secure Implementation Documentation

Current Status:VALID_RESPONSEErrorUnable to AnswerSuggests Case

Question: What are the approved methods for handling dynamic queries with client-provided parameters while maintaining security?

Answer: To securely handle dynamic queries with client-provided parameters, follow these approved methods: 1. **Use Bind Variables**: This is the most secure approach, as it prevents input from breaking out of its quoted context and ensures user inputs are treated as data, not executable code. 2. **Sanitize Input**: If bind variables cannot be used, apply `String.escapeSingleQuotes()` to sanitize input. This ensures single quotes are treated as part of the string, not as database commands. 3. **Use APIs for Complex Queries**: For more complex client-side SOQL, use the REST or SOAP API, which safely handles SOQL calls. 4. **Avoid System Mode Execution**: Do not execute user-generated queries in Apex running in system mode. 5. **Validate Permissions**: Always validate user permissions, including object accessibility and field-level security, before executing queries. These practices help maintain security while handling dynamic queries.

Enhancing FAQ...

Enhancing FAQ with AI recommendations...

Question: What are the approved methods for handling dynamic queries with client-provided parameters while maintaining security?

Recommended Answer Update: To securely handle dynamic queries with client-provided parameters, follow these approved methods: 1. **Use Bind Variables**: This is the most secure approach, as it prevents input from breaking out of its quoted context and ensures user inputs are treated as data, not executable code. 2. **Sanitize Input**: If bind variables cannot be used, apply `String.escapeSingleQuotes()` to sanitize input. This ensures single quotes are treated as part of the string, not as database commands. 3. **Use APIs for Complex Queries**: For more complex client-side SOQL, use the REST or SOAP API, which safely handles SOQL calls. 4. **Avoid System Mode Execution**: Don't execute user-generated queries in Apex running in system mode. 5. **Validate Permissions**: Always validate user permissions, including object accessibility and field-level security, before executing queries. These practices help maintain security while handling dynamic queries.

Reasoning: The FAQ content is accurate and well-structured but contains minor wording that can be improved for clarity and tone consistency. The main change is simplifying "Do not execute" to "Don't execute" to match the conversational tone guidelines. The content directly relates to two key security rules: ApexSOQLInjection focuses on preventing SOQL injection attacks through proper handling of dynamic queries and user input (which is the core topic of this FAQ), and ApexCRUDViolation addresses the validation of user permissions for database operations (covered in point 5 of the FAQ). All technical recommendations in the FAQ are current and align with Salesforce security best practices.

Reasoning References

Recommended Related Articles

Current FAQ