SOQL Injections in Salesforce

By | November 1, 2013

SOQL Injection is the breach of our application security which is dangerous for our valuable data. This happens because preventive measures are not taken into consideration when we write our SOQL queries for any DML operation.

When the queries are formed dynamically with front end input, user can use backend queries differently to get the information which he should not be having the access of.

  • SELECT Id FROM employeeDetail__c WHERE (UserLogged__c = true and Name like \’%’ + name + ‘%\’)’;

When the user inputs the name GreyMan then the query will be as shown below –

  • SELECT Id FROM employeeDetail__c WHERE (UserLogged__c = true and Name like  ‘% GreyMan%’ );

But if in case user provides unexpected input like   greytest%’) OR (Name LIKE ‘

  • SELECT Id FROM employeeDetail__c WHERE (UserLogged__c = true and Name LIKE ‘%test%’) OR (Name LIKE ‘%’) ;

This query will perform injection against your logic and will show all the Ids.

The New Stuff : Mapping custom lead fields to standard contact fields

A SOQL Injection flaw can be used to modify the intended logic of any vulnerable query like the one shown above. To prevent a SOQL injection attack, avoid using dynamic SOQL queries.

  • String name = ‘%’ + Qname + ‘%’;
  • List< employeeDetail __c> = [SELECT Id, Name FROM Contact WHERE (UserLogged__c = true and Name like: name)];

Here some conditions are described which we need to take care of when we write SOQL Queries.

  • Stored Procedures having static logic is ok but procedures having dynamic logic like exec or other dynamic constructs used internally can be injected. 
  • We can’t use bind variable fields in the query string like the below example.

Object_Variable__c employeeDetail = new Object_Variable__c(Employee_Name__c =’GreyMan’);

Select id, Employee_Id__c, Employee_Name__c from Employee__c where Employee_Name__c = employeeDetail.Employee_Name__c;

  • We can instead resolve the variable field into a string and use the string in your dynamic SOQL query.

String Empname = ’GreyMan’;

Select id, Employee_Id__c, Employee_Name__c from Employee__c where     Employee_Name__c =: Empname;

OR

Object_Variable__c employeeDetail = new Object_Variable__c(Employee_Name__c =’GreyMan’);

String employeeName= employeeDetail. Employee_Name__c;

Select id, Employee_Id__c, Employee_Name__c from Employee__c where Employee_Name__c = employeeName;

  • Sanitizing user data before passing it to a query is a standard best practice, but proper construction of queries is the most important and reliable defense.
  • In case of dynamic SOQL use escapeSingleQuotes method to sanitize the user input. This method ensures that all single quotation marks are treated as enclosing strings, instead of database commands.

sQuery += ‘Select id, Employee_Id__c, Employee_Name__c’;

sQuery += ‘ from ‘+ Employee__c;

SQuery += ‘ where Employee_Name__c= \’ ‘ +String.escapeSingleQuotes(Empname)+’\’ ‘;

About Us
Greytrix as a Salesforce Product development partner offers a wide variety of integration products and services to the end users as well as to the Partners across the globe. We offers Consultation, Configuration, Training and support services in out-of-the-box functionality as well as customizations to incorporate custom business rules and functionalities that requires apex code incorporation into the Salesforce platform.

Greytrix has some unique solutions for Cloud CRM such as Salesforce integration with Sage Enterprise Management (Sage X3), Sage Intacct, Sage 100 and Sage 300 (Sage Accpac). We also offer best-in-class Cloud CRM Salesforce customization and development services along with services such as Salesforce Data Migration, Integrated App development, Custom App development and Technical Support to business partners and end users.

Greytrix GUMU™ integration for Sage ERP – Salesforce is a 5-star app listed on Salesforce AppExchange.

For more information, please contact us at salesforce@greytrix.com. We will be glad to assist you.

Related Posts