What is SOQL INJECTION
Author
October 4, 2019
One of the most important features of an application is the ability to store and retrieve data from the underlying database layer. This interaction with the database happens through SQL in traditional web applications and through SOQL in the Salesforce application. SOQL in Salesforce is a prime target for exploitation for an attacker trying to gain access to the org’s data.
When a developer trusts a user input incorrectly, leading to exposure of information which is referred to as SOQL Injection attack. With Salesforce development involving database interactions, risk of SOQL injection is obvious
Let’s go through an example demonstrating how a SOQL attack can happen
Below is a VF Page and Apex Controller code which is used to demonstrate this. We’ve developed a custom page that enables users to search through their contacts. This list is filterable by providing a title filter in the search box.
Now type in a title filter like VP. The page acts as expected and returns the filtered contacts. The application takes a parameter(textual title) entered by the user and places it directly into the SOQL query.
This might lead to SOQL injection! As SOQL injection occurs when an attacker modifies the structure of the query. So, let’s try a more complex filter and see what the actual result is.
Try entering the following filter in the title search to have the database identify contacts: %’ and a name like ‘%
This filter enables the attacker to close the single quote for the title and add another filter for name thus gaining them access to the data which was secure.In order to build secure apps that are not vulnerable to SOQL injection, the developer can use some techniques explained below to avoid such attacks.
Use Static Query and Bind Variables:
Using static query and Bind variables mitigates the risk posed by directly using user input in your dynamic SOQL.
This ensures that the user-controlled input is considered as a variable and not as an executable part of the query.
For example, if we add the filter test’ LIMIT 1 in a static query for contacts, it looks for contacts with titles that are “test’ LIMIT 1”. With a bind variable, the attacker can’t break out and control the SOQL salesforce query.
Escaping Single Quotes:
Another mitigation option that is used by developers who use user input in their queries is the escape function string.escapeSingleQuotes(). This function escapes any instance that it finds of a ‘ quote in the string using the backslash (\) escape character.
This prevents an attacker’s input from being treated as code by constraining them to the boundary of the string. If in the above apex class we add string.escapeSingleQuotes() around the variable textual title and then try the filter as %’ and a name like’%. The SOQL injection payload will no longer function!. Some other useful techniques are Typecasting, Replacing characters and Whitelisting
Pranshu Goyal, Director of Products at Mirekta, states: “We envision DSM to be used by every small to a medium-sized organization dealing with bad data and want to get rid of duplicates easily with no cost. We have faced issues dealing with duplicates in our organization. That inspired us to make a solution that is not only simple to use but can be used widely to make the organization’s data clean to make them more efficient and productive. We want DSM to be a solution for every organization looking for duplicate management capability better than the Salesforce out-of-the-box solution with no additional cost.”
Recent Posts
-
Salesforce 2025 Game-Changing Trends You Need to Know28 Jan 2025 Blog
-
Agentforce 2.0: Everything You Need to Know About the Latest Update22 Jan 2025 Blog
-
The Ultimate Guide to NetSuite Development: Tools and Techniques10 Jan 2025 Blog
-
How Salesforce Nonprofit Cloud Transforms Fundraising Strategies10 Jan 2025 Blog
-
The Impact of Salesforce Development Partners on Small and Medium Businesses08 Jan 2025 Blog
-
Key Questions to Ask When Hiring a NetSuite Development Partner08 Jan 2025 Blog
-
Salesforce Agentforce Demystified: Your Essential Guide08 Jan 2025 Blog
-
Salesforce and NetSuite Integration: Driving Business Efficiency with Precision06 Jan 2025 Blog
-
Everest Group has positioned Mirketa as an Aspirant in the report24 Dec 2024 Press Release
-
Salesforce Einstein20 Dec 2024 E-Book
-
Order to Cash Cycle with NetSuite20 Dec 2024 E-Book
-
Empower Your Marketing Strategy with Salesforce Marketing Cloud's Automation Studio Activities13 Dec 2024 Blog
-
Salesforce CPQ for Subscription-based Businesses10 Dec 2024 Blog
-
Unleashing the Magic of Einstein Prediction Builder10 Dec 2024 Blog
-
Customized Templates and Branding with Salesforce Experience Cloud10 Dec 2024 Blog
-
Unleashing the Power of Real- Time Reports and Dashboards in NPSP10 Dec 2024 Blog
-
Top 4 Salesforce Automation Tools in 202409 Dec 2024 Blog
-
Salesforce Service Cloud Implementation: The Ultimate Guide09 Dec 2024 Blog
-
Salesforce CRM Implementation Partner Enhancing Automation in Healthcare09 Dec 2024 Blog
-
Shorten Your Sales Cycle in 8 Steps: Salesforce CPQ Implementation Guide09 Dec 2024 Blog
Categories
Featured by












Office Locations

11501 Dublin Blvd STE 200, Dublin, CA 94568, USA

B-4/5 First Floor, Sector- 63, Noida 201301, India
