SOQL Injection

A SOQL injection consists of insertion or injection of SOQL query via the input data from client to application. A successful SQQL injection exploit can read sensitive data from the database.

Below is the example of Apex and Lightning Component code vulnerable to SOQL injection.





Now enter name existing contact name and click on search button to see the result, in my case I search for contact whose Name contains 'Winter'.

Now in search box enter " winter%' OR Name LIKE ' " and click on search button to all contact records.

How to prevent SOQL injection?

1. Static Query: To prevent SOQL injection attach, avoid using dynamic SOQL queries. Instead, use static queries and binding variables.

2. Escaping Single Quotes: use of string.escapeSingleQuotes() method arounf variable function escapes any instance that it finds of a ‘ quote in the string using the backslash (\) escape character. This prevents an attacker’s input from being treated as code by constraining them to the boundary of the string.


References: Salesforce Developer Guide, trailhead