FAQ-001615 - SQL Injection and Input Validation / Secure Implementation Documentation

To justify dynamic queries as secure implementations, you need to demonstrate the use of proper validation mechanisms: 1. **Sanitize Parameters**: Ensure all parameters passed to public methods with database operations (query, delete, update, insert) are sanitized to prevent injection vulnerabilities. 2. **Avoid String Building**: Use `sObjectType` or `sObjectFields` directly instead of constructing queries with strings. This approach prevents SOQL code injection and supports permission checks. 3. **Perform CRUD/FLS Checks**: Use `WITH USER_MODE` for SOQL queries or `AccessLevel.USER_MODE` for Database methods to automatically enforce object and field-level permissions. Alternatively, use `Schema.getGlobalDescribe()` to validate object names and confirm they are legitimate, along with manual permission checks. By implementing and showcasing these practices, you can justify that your dynamic queries are secure and align with best practices.

The FAQ content is generally accurate and addresses important security concerns for dynamic queries. I updated point 3 to lead with modern security features (`WITH USER_MODE` and `AccessLevel.USER_MODE`) as specified in the security approaches guidelines, while preserving the existing manual permission checking approach as a valid alternative. This maintains all original information while prioritizing the more modern, streamlined approaches first. The FAQ directly relates to two key security rules: ApexSOQLInjection because it teaches developers how to prevent SOQL injection attacks through proper parameter sanitization and avoiding string concatenation for query building, and ApexCRUDViolation because it addresses the need for proper CRUD and FLS checks when performing database operations.