FAQ-001626 - SQL Injection and Input Validation / Validation Rules and Access Controls

Using a blacklist of objects isn't sufficient to prevent information disclosure vulnerabilities in dynamic SOQL. Instead, you should use a whitelist of acceptable object types, as this ensures that only explicitly approved objects are queried. Additionally, implement proper CRUD/FLS checks and sanitize user inputs to effectively mitigate such vulnerabilities.

The original answer used 'is not sufficient' which is slightly awkward phrasing. Changed to 'isn't sufficient' to align with conversational tone guidelines that recommend using contractions. This makes the text more natural and easier to read while preserving all the original technical content and meaning. Regarding security rules: **ApexSOQLInjection**: This rule directly relates to the FAQ's core topic about dynamic SOQL vulnerabilities. The FAQ discusses preventing information disclosure in dynamic SOQL through proper validation techniques (whitelisting vs blacklisting), input sanitization, and proper access controls - all of which are key defenses against SOQL injection attacks that this rule detects. **ApexCRUDViolation**: This rule is relevant because the FAQ specifically mentions implementing 'proper CRUD/FLS checks' as a mitigation strategy. The rule detects missing CRUD (Create, Read, Update, Delete) permission checks in Apex code, which directly corresponds to the CRUD checks recommended in the FAQ answer.