SOQL Injection?

SOQL injection is a technique by which user effects your application to execute the database methods and you did not intend by passing SOQL statements into your script. Means any user can hack your Database or do fake login in to your secure account without any knowing your password.

This occur in an Apex script whenever your application relies on end user input to the construct a dynamic SOQL statement and you do not handle the input properly. This is the most secure thing you should know about your code of

To prevent SOQL injection, use the escapeSingleQuotes (like ‘\’) method in the Dynamic SOQL. This method adds the escape character (\) to all single quotation marks in a string that is passed in from any user. The method ensures that all single quotation marks are treated as enclosing strings, instead of database commands.

Code:

public Account[] getAccountInfo() {

    String userInput = Apexpages.currentPage().getParameters().get('nameofAccount');

    Account[] accs = database.query('SELECT name,address,city FROM Account WHERE name = \'' + userInput + '\'');

    return accs;

}

Description:

Above code explain it self user enters Account name and Dynamic SOQL used this name and returns the information about Account.

However if there is hacker user enter Account name like ‘Accoun1’ or ‘xxxxx’ so he can get your secure Account information. We can prevent this write the Class as “with sharing”.