To fix SOQL injection issues in Apex code, you should make the following modifications:
1. **Use Bind Variables**: Incorporate bind variables in SOQL queries to safely handle user input and prevent direct concatenation of user input.
2. **Sanitize Inputs**: Use `String.escapeSingleQuotes()` to sanitize all string inputs dynamically added to queries. Validate and sanitize user inputs, especially when they are used to identify objects, fields, or query portions.
3. **Avoid Direct Strings for Field/Object Names**: Do not pass field or object names as strings directly into queries. If dynamic queries are necessary, perform CRUD/FLS checks on fields and objects before including them.
4. **Secure API Context**: For apps using an API account with elevated privileges, ensure the query execution context does not allow unauthorized access to sensitive data.
5. **Validate and Restrict Inputs**: Validate and restrict user inputs to prevent malicious data from being used in query construction. Validate user inputs against a predefined whitelist of acceptable values to ensure only valid data is used.
6. **Avoid String Concatenation**: For dynamic SOQL queries, avoid using strings as building blocks. Instead, use `sObjectType` or `sObjectFields` to construct queries securely.
7. **Sanitize Public Method Parameters**: Ensure all parameters passed to public methods executing database operations are sanitized.
These changes ensure secure input handling and query construction, mitigating SOQL injection risks.