FAQ-001614 - SQL Injection and Input Validation / Secure Implementation Documentation

To demonstrate that dynamic SOQL queries are implemented securely with proper safeguards, follow these practices: 1. **Use Bind Variables**: Ensure user input is treated as data, not executable code, by using bind variables. Show that user inputs are incorporated into queries using bind variables, which prevent injection attacks. 2. **Sanitize Input**: Use `String.escapeSingleQuotes()` for simple string comparisons and combine it with other input validation methods for complex scenarios. Demonstrate the use of sanitization methods to handle special characters in user inputs. 3. **Verify Permissions**: Use `Schema.getGlobalDescribe()` to confirm user access to objects or fields, preventing unauthorized data access. Implement and showcase input validation, such as whitelisting acceptable values for object and field names. 4. **Whitelist Inputs**: Allow users to supply only object names, field names, and WHERE clause inputs. Validate these against a predefined whitelist. 5. **Perform CRUD/FLS Checks**: Use modern features like `WITH USER_MODE` for SOQL queries or `AccessLevel.USER_MODE` for Database methods, which automatically enforce permissions. Alternatively, use `Schema.sObjectType` to verify that users have the necessary permissions to access or modify data. Verify and document that CRUD (Create, Read, Update, Delete) and FLS (Field-Level Security) checks are performed. 6. **Avoid System Mode Execution**: Don't execute user-generated queries in Apex running in system mode. Use the REST or SOAP API for safe SOQL calls if dynamic queries are necessary. Ensure that user-generated queries aren't executed in Apex running in system mode, which bypasses user permissions. 7. **Sanitize Public Method Parameters**: Ensure all public methods with database operations sanitize their parameters to prevent injection vulnerabilities. Show that all public methods with database operations sanitize their parameters. 8. **Use APIs for Complex Queries**: For complex scenarios, demonstrate the use of the REST or SOAP API to safely handle SOQL calls. By adhering to these practices and documenting them properly, you can demonstrate that your dynamic SOQL queries are secure and follow best practices.

The main update needed is in point 5 regarding CRUD/FLS checks. According to the security approaches guidelines, modern features like `WITH USER_MODE` for SOQL queries and `AccessLevel.USER_MODE` for Database methods should be prioritized as they automatically enforce permissions with less code. The current answer only mentions the legacy approach with `Schema.sObjectType`. I updated it to lead with the modern approaches while maintaining the existing legacy approach as still valid. I also made minor tone improvements by changing 'Do not' to 'Don't' and 'are not' to 'aren't' to match the conversational style guidelines. Regarding security rules selected: - **ApexSOQLInjection**: Directly relates to the FAQ's core focus on secure dynamic SOQL implementation. The FAQ discusses bind variables (point 1), input sanitization (point 2), and preventing injection vulnerabilities (point 7) - all key defenses against SOQL injection attacks. - **ApexCRUDViolation**: Relates to point 5 which discusses performing CRUD/FLS checks and the recommendation to use modern permission enforcement methods like `WITH USER_MODE` and `AccessLevel.USER_MODE`. - **ApexSharingViolations**: Relates to point 6 about avoiding system mode execution which bypasses user permissions, and the overall theme of ensuring proper access controls in dynamic queries.