FAQ-001627 - SQL Injection and Input Validation / Validation Rules and Access Controls

Validation rules alone are not sufficient to prevent SOQL injection in Salesforce. Additional Apex validation is required for robust protection. You should: - Sanitize all user inputs - Use bind variables in SOQL queries to prevent injection vulnerabilities - Implement proper CRUD/FLS checks - Follow secure coding practices, such as whitelisting acceptable values and using Schema methods - Verify user permissions by enforcing object and field-level security before executing queries These measures are essential to effectively mitigate SOQL injection risks and ensure comprehensive security.

The FAQ content is accurate and covers the essential security practices for preventing SOQL injection. However, I made minor improvements for clarity and readability: removed redundant bullet points that repeated similar information about bind variables and input sanitization (the original had two nearly identical points), and improved the flow by better organizing the recommendations. The content correctly emphasizes that validation rules alone are insufficient and properly covers the key mitigation strategies. I selected ApexSOQLInjection because this rule directly detects SOQL injection vulnerabilities in Apex code, which is the primary security concern discussed in the FAQ. The FAQ specifically mentions using bind variables and sanitizing user inputs to prevent SOQL injection, which aligns exactly with what this rule identifies. I selected ApexCRUDViolation because the FAQ explicitly mentions implementing "proper CRUD/FLS checks" and "verify user permissions by enforcing object and field-level security," which are the exact security violations this rule detects in Apex code.