Friday, 21 April 2017

                                     SOQL Injection


 SOQL Injection is the breach of our application security which is dangerous for our valuable data. This happens because preventive measures are not taken into consideration when we write our SOQL queries for any DML operation.

  Let’s see  below example. I created a string variable searchstring; and used the variable in the LIKE query. This search string gets its input from the data entered by the user in the text box in the visualforce page. The searchstring passes the query string variable inside the database.query() method.
------------------------------------------------------------------------------------------------------------------

 <apex:page standardController="account" extensions="accsearchcontroller">
    <apex:form >
        <apex:inputText value="{!searchstring}" label="Input"/>
        <apex:commandButton value="Search records" action="{!search}"/>
        <apex:commandButton value="Clear records" action="{!clear}"/>
        <apex:pageBlock title="Search Result">
            <apex:pageblockTable value="{!acc}" var="a">
                <apex:column >
                    <apex:outputlink value="https://ap1.salesforce.com/{!a.id}">{!a.Name}</apex:outputlink>
                </apex:column>
                <apex:column value="{!a.id}"/>
            </apex:pageBlockTable>  
        </apex:pageBlock>
    </apex:form>
</apex:page>
 ----------------------------------------------------------------------------------------------------------
  public  class accsearchcontroller {
   public list <account> acc {get;set;}
   public string searchstring {get;set;}
   public accsearchcontroller(ApexPages.StandardController controller) {
   }
   public void search(){
     string searchquery='select name,id from account where name like \'%'+searchstring+'%\' Limit 20';
     acc= Database.query(searchquery);
   }
   public void clear(){
   acc.clear();
   }
 }
--------------------------------------------------------------------------------------------------------------
I Hope  our  code is working fine.Now we will start our discussion on SOQL Injection

Suppose if user provides this input :test%.

What will happen ?Please try it once?!!!
You got error.Suddenly you are working code shows error???!!!!

So next question??!!!

Why It throws error ? Answer is very simple  soql query dont know how to handle the user Injected data (Interesting!!!).

Then  how to resolve it ?

To prevent a SOQL injection attack, avoid using dynamic SOQL queries. Instead, use static queries and binding variables. The vulnerable example above can be re-written using static SOQL as follows:


 public  class accsearchcontroller {
   public list <account> acc {get;set;}
   public string searchstring {get;set;}
   
   public accsearchcontroller(ApexPages.StandardController controller) {
   }
   public void search(){
     acc=[select name,id from account where (IsDeleted = false and Name like :searchstring)];
 
   }
   public void clear(){
   acc.clear();
   }
 }
---------------------------------------------------------------------------------------------------------

<apex:page standardController="account" extensions="accsearchcontroller">
    <apex:form >
        <apex:inputText value="{!searchstring}" label="Input"/>
        <apex:commandButton value="Search records" action="{!search}"/>
        <apex:commandButton value="Clear records" action="{!clear}"/>
        <apex:pageBlock title="Search Result">
            <apex:pageblockTable value="{!acc}" var="a">
                <apex:column >
                    <apex:outputlink value="https://ap1.salesforce.com/{!a.id}">{!a.Name}</apex:outputlink>
                </apex:column>
                <apex:column value="{!a.id}"/>
            </apex:pageBlockTable>  
        </apex:pageBlock>
    </apex:form>
</apex:page>