FAQ-001620 - SQL Injection and Input Validation / Security Review and Vulnerability Assessment

To properly implement dynamic SOQL queries and avoid security review failures, follow these best practices: 1. **Use Bind Variables**: Incorporate bind variables for user-supplied inputs in the WHERE clause to ensure inputs are treated as data, not executable code. 2. **Sanitize Input**: If bind variables aren't an option, use `String.escapeSingleQuotes()` to sanitize user inputs, escaping single quotes to prevent injection. 3. **Restrict User-Generated Queries**: Limit user input to object names, field names, and WHERE clause inputs. For complex queries, use the REST or SOAP API for safer execution. 4. **Perform CRUD/FLS Checks**: Enforce Create, Read, Update, and Delete (CRUD) and Field-Level Security (FLS) checks to ensure users have proper permissions. Use `WITH USER_MODE` for SOQL queries or `AccessLevel.USER_MODE` for Database methods to automatically enforce these permissions. 5. **Validate Object and Field Names**: Use `Schema.getGlobalDescribe()` to validate object and field names, ensuring they exist and are valid. 6. **Use sObjectType or sObjectFields**: Replace string concatenation with `sObjectType` or `sObjectFields` to construct queries securely and enable permission checks. 7. **Sanitize Parameters in Public Methods**: Ensure all public methods with database operations sanitize their parameters. By following these steps, you can mitigate SOQL injection risks and meet security review standards.

The FAQ content is accurate and comprehensive. I made one enhancement to point #4 by adding modern security enforcement approaches (`WITH USER_MODE` for SOQL queries and `AccessLevel.USER_MODE` for Database methods) as recommended in the security approaches guidelines. This addition follows the guideline to 'prioritize modern features' while preserving the existing valid information about CRUD/FLS checks. The rest of the content remains unchanged as it provides solid security guidance. For the security rules selected: - ApexSOQLInjection: This rule directly relates to the core topic of the FAQ, which teaches developers how to prevent SOQL injection vulnerabilities. The FAQ's points about using bind variables (point 1), sanitizing input with String.escapeSingleQuotes() (point 2), restricting user-generated queries (point 3), and sanitizing parameters in public methods (point 7) all directly address SOQL injection prevention. - ApexCRUDViolation: This rule is relevant to point 4 of the FAQ answer, which explicitly discusses enforcing 'Create, Read, Update, and Delete (CRUD) and Field-Level Security (FLS) checks to ensure users have proper permissions.' The FAQ teaches developers how to perform these permission checks when implementing dynamic SOQL queries.