FAQ-001623 - SQL Injection and Input Validation / Security Review and Vulnerability Assessment

To handle SQL Injection concerns in security scans of Salesforce applications, follow these best practices: 1. **Use Bind Variables**: Always use bind variables in SOQL queries to prevent user-controlled input from being directly included in the query. 2. **Sanitize Input Data**: Escape special characters or use methods like `String.escapeSingleQuotes` to ensure user input doesn't break the query structure. 3. **Validate User Input**: Use a whitelist of acceptable values for user input, especially when identifying object or field names. Use `Schema.getGlobalDescribe()` to retrieve valid object and field names for comparison. 4. **Perform CRUD/FLS Checks**: Use `WITH USER_MODE` in SOQL queries or `AccessLevel.USER_MODE` in Database methods to automatically enforce user permissions. Alternatively, ensure users have the necessary permissions to access the queried objects or fields through manual checks. 5. **Avoid Dynamic SOQL Queries**: Refrain from using string concatenation to construct dynamic SOQL queries. Instead, use `sObjectType` or `sObjectFields` directly. 6. **Test Thoroughly**: Use automated security scanning tools and manual testing to test the entire solution, including external endpoints. Document false positives and address flagged vulnerabilities. 7. **Follow Secure Coding Guidelines**: Adhere to Salesforce Secure Coding Guidelines and security best practices throughout development. These steps will help mitigate SQL Injection risks and ensure compliance with Salesforce security standards.

I made a focused update to point #4 to prioritize modern security features while preserving the existing advice. The original content mentioned CRUD/FLS checks but didn't highlight the most efficient modern approaches. I added `WITH USER_MODE` for SOQL queries and `AccessLevel.USER_MODE` for Database methods as the primary recommendation, while maintaining the existing manual permission check approach as an alternative. This follows the security approaches guidelines to 'prioritize modern features' while not inferring that 'old approaches are not acceptable.' The rest of the FAQ content remains accurate and appropriately comprehensive. For ApexSOQLInjection rule: This rule directly relates to the FAQ's core topic of handling SQL injection in SOQL queries. The FAQ's points about bind variables (point #1), input sanitization (point #2), input validation (point #3), and avoiding dynamic SOQL (point #5) all directly address SOQL injection prevention, which is exactly what this rule detects. For ApexCRUDViolation rule: This rule relates to point #4 of the FAQ which discusses performing CRUD/FLS checks to ensure users have proper permissions. The rule detects violations of object and field-level security, which is precisely what the FAQ is teaching developers to prevent through proper permission validation.