Your Apex code still appears to be vulnerable to SOQL injection. Please check your code again.







Trailmix ==>

Injection Vulnerability Prevention >> Prevent SOQL Injection in Your Code


Challenge ==>

Prevent a SOQL injection attack

For this challenge, write code that isn't vulnerable to SOQL injection. Navigate to the Prevent SOQL Injection Challenge tab within the SOQL Injection application. You will see multiple search boxes with Perform Search buttons. The Prevent_SOQL_Injection_Challenge Apex controller includes three methods containing dynamic queries: stringSearchOne(), stringSearchTwo(), and numberSearchOne(). Modify the stringSearchOne() and stringSearchTwo() queries to prevent SOQL injection using the escapesinglequotes method. Modify the numberSearchOne() query to prevent SOQL injection using the typecasting method.



Error ==>
Your Apex code still appears to be vulnerable to SOQL injection. Please check your code again.



Solution ==>


public class Prevent_SOQL_Injection_Challenge {
    public string textOne {get; set;}
    public string textTwo {get; set;}
    public string comparator {get; set;}
    public string numberOne {get; set;}
    public List<Supply__c> whereclause_records {get; set;}

    public PageReference stringSearchOne(){
        string query = 'SELECT Id,Name,Quantity__c,Storage_Location__c,Storage_Location__r.Castle__c,Type__c FROM Supply__c';
        string whereClause = '';
        if(textOne != null && textOne!=''){
                whereClause += 'name like  \'%'+String.escapeSingleQuotes(textOne)+'%\' ';
        }
        if(whereClause != ''){
            whereclause_records = database.query(query+' where '+whereClause+' Limit 10');
        }
        return null;
    }

    public PageReference stringSearchTwo(){
        string query = 'SELECT Id,Name,Quantity__c,Storage_Location__c,Storage_Location__r.Castle__c,Type__c FROM Supply__c';
        string whereClause = '';
        if(textTwo != null && textTwo!=''){
                whereClause += 'Storage_Location__r.name like  \'%'+String.escapeSingleQuotes(textTwo)+'%\' ';
        }
        if(whereClause != ''){
            whereclause_records = database.query(query+' where '+whereClause+' Limit 10');
        }
        return null;
    }

    public PageReference numberSearchOne(){
        string query = 'SELECT Id,Name,Quantity__c,Storage_Location__c,Storage_Location__r.Castle__c,Type__c FROM Supply__c';
        string whereClause = '';
        if(numberOne != null && comparator != null && (comparator == '<' || comparator == '>' || comparator == '=')){
            whereClause += 'Quantity__c '+String.escapeSingleQuotes(comparator)+' '+String.valueOf(Integer.valueOf(numberOne))+' ';
        }
        if(whereClause != ''){
            whereclause_records = database.query(query+' where '+whereClause+' Limit 10');
        }
        return null;
    }
}


Hope this helps you...Enjoy..!


Comments

Popular posts from this blog

Salesforce Integration with Foreign Exchange Rates API for Currency Conversion

Administrator Certification Maintenance (Spring '21) Questions

Salesforce App Builder - Question Set 3