Monday, 14 March 2011

Salesforce applications with security: SOQL Injection

Hi,

I am again here to share something with you that may be you know, but still I would like to rate myself :).
So please be ready for my one more boring(don't think so) topic "Salesforce applications with security: SOQL Injection".

This time SOQL injection. So SOQL is a type of vaccine for human body, injects when you really feels weak(Sorry :), No more joke).

 It's  a code injection technique that exploits a Security vulnerability.
Let me be more specific, Suppose you have a search form and instead of typing a valid search parameter, User types something invalid text  and that can make your SOQL query invalid and expose the unexpected result.
This situation occurs when user input is not filtered for escape characters.
 let's have a pictorial look :



It's a SQL example , but describe the SOQL injection as well in a good manner.
So here you can see that. In the User id field once user puts a invalid parameter and goes to the controller and form a query that  results in a invalid login.

The worst scenario could be if resultant data from a query supposed to be deleted.
 let's have one more quick example for this :

I have a case where I want to delete the Account based on name entered in the input name field on page.
Implementation can be like this :

List<Account> listAccount = Database.query('Select id from Account where Name = \'' + nameField + '\' ');

delete listAccount;

It works great with a valid value.
 Now it can be worst if value of nameField is provided like :

nameField = \' OR Id != null OR Type != \'


So once the action will be performed, this will be bind-up with the query and resultant query will be like this :
 

List<Account> listAccount = Database.query('Select id from Account where Name = \'\'\' OR ID != null OR Type != \'\' ');

delete  listAccount;

So hopefully , you can see the monster  here. It will delete the entire database for account records.

Salesforce provides escape functions to get rid from SOQL injection.
Solution can be one of the followings:
  1. Try to use STATIC queries as much as possible. STATIC query has inbuilt escaping.
  2. If dynamic query is needed , then all the search parameters should use escapeSingleQuotes() function.like
    List<Account> listAccount = Database.query('Select id from Account where Name = \'' + String.escapeSingleQuotes(nameField) + '\' ');
String.escapeSingleQuotes method adds the escape character (\) to all single quotation marks in a string that is passed in from a user. The method ensures that all single quotation marks are treated as enclosing strings, instead of database commands. 

I hope, this post helps you to get a basic understanding of SOQL injection.

Now I am going to finish this, as If I didn't you guys will gone sleep.
So topic ends, party time ....................



Will be back very soon with something new :).


 




10 comments:

  1. Nice idea actually...good one. Its better to be safe than sorry.

    ReplyDelete
  2. good post it helps me to understand basic logic

    ReplyDelete
  3. although used escapeSingleQuotes ...sql injection issue is not resolved..

    ReplyDelete
    Replies
    1. It's odd. What issue you are still facing ?

      Delete
  4. Not working,I used
    String fieldName=name;
    List accountList = (List)Database.query('Select Id,Name FROM Account WHERE Name =:fieldName');

    ReplyDelete
  5. its working and variable name I am passing as parameter to the method which is account name

    ReplyDelete
  6. Hai,
    For more information on SQL Injection attacks see:
    http://www.owasp.org/index.php/SQL_injection
    http://www.owasp.org/index.php/Blind_SQL_Injection
    http://www.owasp.org/index.php/Guide_to_SQL_Injection
    http://www.google.com/search?q=sql+injection

    salesforce training in Chennai

    ReplyDelete
  7. i also try escapeSingleQuotes but not work for me either anyone have a solution.please post final solution.

    ReplyDelete