SOSL Injection
SOSL (Sales force Object Search Language) injection is the technique by which a user causes your application to execute database methods you did not intend by passing SOSL statements into your script. This can occur in an Apex script whenever your application relies on end user input to
construct a dynamic SOSL statement and you do not handle the input properly.
To prevent SOSL injection, use the escapeSingleQuotes method. This method adds the escape character (\) to all single quotation marks in a string that is passed in from a user. The method ensures that all single quotation marks are treated as
enclosing strings, instead of database commands.
Code:
public Account[] getAccountInfo() {
String userInput = Apexpages.currentPage().getParameters().get('nameofAccount');
Account[] accs = database.query('SELECT name,address,city FROM Account WHERE name = \'' + userInput + '\'');
return accs;
}
Description:
Above code explain it self user enters Account name and Dynamic SOSL used this name and returns the information about Account.
However if there is hacker user enter Account name like ‘Accoun1’ or ‘xxxxx’ so he can get your secure Account information. We can prevent this write the Class as “with sharing”.
No comments:
Post a Comment