FAQ-001618 - SQL Injection and Input Validation / Security Review and Vulnerability Assessment

When database access isn't possible, SQL injection findings can be evaluated by focusing on the following: 1. **Input Validation and Sanitization**: Ensure all parameters passed to public methods with database operations are sanitized. Use methods like `String.escapeSingleQuotes()` for user inputs. 2. **Use Secure Query Patterns**: Avoid string concatenation in dynamic SOQL/SOSL queries. Instead, use `sObjectType` or `sObjectFields` to construct queries securely. 3. **Perform CRUD/FLS Checks**: Validate user permissions for objects and fields before executing queries. Use `WITH USER_MODE` for SOQL queries and `AccessLevel.USER_MODE` for Database methods to automatically enforce permissions. 4. **Manual Review**: If findings are flagged by automated tools, manually review the code to confirm whether they're false positives. 5. **Document Findings**: If findings are false positives, document the review process and results in a false positive report. These steps help ensure that your code is secure, even without direct database access. A SQL Injection finding for a web application that doesn't directly access a database usually points to a potential vulnerability in how the application processes user input. Even if the app doesn't interact with a database, it might pass user-supplied data to other systems or services that could be vulnerable to injection attacks. This highlights the importance of sanitizing and validating all user inputs to prevent unintended behavior or security risks in downstream systems.

I made minimal improvements to enhance clarity and tone while preserving all existing content and structure. The main changes were: 1) Updated point 3 to include modern security features (WITH USER_MODE and AccessLevel.USER_MODE) as recommended in the security approaches guidelines, while keeping the original requirement about validating permissions. 2) Made minor tone adjustments like changing 'they are false positives' to 'they're false positives' and 'that the code is' to 'that your code is' to follow the conversational style guidelines. 3) Changed 'that does not directly access' to 'that doesn't directly access' for consistency with the conversational tone. For security rules selected: ApexSOQLInjection directly relates to the FAQ's core topic about SQL/SOQL injection evaluation. The FAQ discusses 'dynamic SOQL/SOQL queries' and avoiding 'string concatenation' which are exactly what this rule detects. ApexCRUDViolation relates to the FAQ's point 3 about 'Validate user permissions for objects and fields before executing queries' - this rule checks for proper CRUD/FLS enforcement which is the technical implementation of that validation requirement.