FAQ-001617 - SQL Injection and Input Validation / Secure Implementation Documentation

To demonstrate that your dynamic SOQL query is safe and not vulnerable to injection, you should: 1. **Use Bind Variables**: Securely handle user-supplied input by incorporating bind variables in your query. This ensures inputs remain within their quoted context. 2. **Sanitize Input**: Use methods like `String.escapeSingleQuotes()` to sanitize user-supplied strings, treating single quotes as part of the string rather than database commands. 3. **Validate Object and Field Names**: Validate user-supplied object or field names against a whitelist of acceptable values. Use `Schema.getGlobalDescribe()` to confirm their existence and check user permissions. 4. **Perform CRUD/FLS Checks**: Ensure the user has the appropriate Create, Read, Update, and Delete (CRUD) and Field-Level Security (FLS) permissions for the objects and fields involved. Use modern approaches like `WITH USER_MODE` in SOQL queries or `AccessLevel.USER_MODE` for Database methods when possible. 5. **Avoid System Mode Execution**: Don't execute user-generated queries in Apex system mode, as it bypasses user permissions. Use user mode or explicitly enforce security. 6. **Leverage Secure APIs**: For complex queries, consider using the REST or SOAP API, which securely handle SOQL calls. These steps will help you demonstrate that your dynamic SOQL query is secure and mitigates injection risks.

The FAQ content is accurate and well-structured, but I made a minor refinement to point 4 to align with the security approaches guidelines by mentioning modern features like `WITH USER_MODE` and `AccessLevel.USER_MODE` while preserving the existing content about CRUD/FLS checks. I also improved the wording in point 5 by changing 'Do not' to 'Don't' for a more conversational tone per the brand guidelines. For the related security rules: 1. **ApexSOQLInjection**: This rule directly relates to the core topic of the FAQ - preventing SOQL injection vulnerabilities in dynamic queries. The FAQ content about using bind variables, sanitizing input with `String.escapeSingleQuotes()`, and validating object/field names all directly address what this rule detects. 2. **ApexCRUDViolation**: This rule is relevant to point 4 of the FAQ answer which discusses performing CRUD/FLS checks and ensuring users have appropriate permissions for objects and fields involved in the query. 3. **ApexSharingViolations**: This rule relates to point 5 of the FAQ answer about avoiding system mode execution and explicitly enforcing security, as sharing violations often occur when bypassing user permissions or executing in inappropriate contexts.