How to protect against SOQL injection vulnerabilities?

How to protect against SOQL injection vulnerabilities?
Static Query and Bind Variables
The first and most recommended method to prevent SOQL injection is to use static queries with bind variables. Consider the following query.Static Query:
SELECT Id FROM Contact WHERE Name LIKE: var

String query = ‘select id from contact where firstname =\’’+var+’\’’;
queryResult = Database.execute(query);

Using user input (the var variable) directly in a SOQL query opens the application up to SOQL injection. To mitigate the risk, translate the query into a static query like this one.
queryResult = [select id from contact where firstname =:var];

Typecasting
Another strategy to prevent SOQL injection is to use typecasting. By casting all variables as strings, user input can drift outside of expectation. By typecasting variables as integers or Booleans, when applicable, erroneous user input is not permitted.

Escaping Single Quotes
Another XSS mitigation option that is commonly used by developers who include user-controlled strings in their queries is the platform-provided escape function String.escapeSingleQuotes().

If you must use dynamic SOQL, use the escapeSingleQuotes method to sanitize user-supplied input. This method adds the escape character (\) to all single quotation marks in a string that is passed in from a user. The method ensures that all single quotation marks are treated as enclosing strings, instead of database commands.

Whitelisting
Create a list of all “known good” values that the user is allowed to supply. If the user enters anything else, you reject the response.

Replacing Characters
A final approach for your tool belt is character replacement, also known as blacklisting. This approach removes “bad characters” from user input.

Check the below Example
SOQL:
'SELECT Id, AccountNumber, Name, Amount__c FROM Account WHERE IsActive = ' + var;
If someone enters "true AND AccountNumber = 100", they will get all info about Account with Account Number "100".
We can use the below code
var.replaceAll('[^\w]','');
This will remove all the whitespaces. So, that the query becomes invalid( SELECT Id, AccountNumber, Name, Amount__c FROM Account WHERE IsActive = trueANDAccountNumber=100 )

No comments:

Post a Comment