What is SOQL Injection?
We can compare the SOQL injection with the Trojan horse from Greek Mythology. In Greek Mythology there is a tale about the Trojan War. The Greeks used the selected soldiers and hide them into a giant wooden horse and pretended to leave the shores and people of Troy believed the horse as a war trophy and they brought it inside the city That night the Greek force crept out of the horse and opened the gates for the rest of the Greek army, which had sailed back under cover of night. The Greeks entered and destroyed the city of Troy, decisively ending the war. Here the beliefs of the people in the city of troy are used by the Greeks to bring down the city fortifications to ease the invading Greek Army.
Similarly if we don’t believe in validating the user inputs in an Application there is a chance for the users might trick the application by providing the malicious inputs. So this is a serious security threat in an Application.
Just like SQL Injections Salesforce’s own query language SOQL also faces the similar problem.
Impact on Salesforce Database
Even though the database is different the attacks are similar just like SQL. Consider the SOQL query from one of my previous blogs How to Build a Simple Search Page Using Visualforce
User Input : test%') OR (Name LIKE '
Then query is modified something like this
If you look in to the above line you can see the entire query is modified with three different where clauses. Now the query will just not show the non deleted one’s it will show all the accounts. This is a typical example for a SOQL injection.
Resolution
Usage of proper validations might solve the problem. All the user inputs in the UI have to be validated to check if the input contains special characters such as % ; ‘ etc…
Usage of static queries with dynamic binding of variable might also solve the issue. For example the above query can be modified as follows
External References:
http://en.wikipedia.org/wiki/SQL_injection https://www.salesforce.com/us/developer/docs/pages/Content/pages_security_tips_soql_injection.htm
Nirmal Christopher Salesforce.com Technical Consultant Global Tech and Resources Inc..,
We can compare the SOQL injection with the Trojan horse from Greek Mythology. In Greek Mythology there is a tale about the Trojan War. The Greeks used the selected soldiers and hide them into a giant wooden horse and pretended to leave the shores and people of Troy believed the horse as a war trophy and they brought it inside the city That night the Greek force crept out of the horse and opened the gates for the rest of the Greek army, which had sailed back under cover of night. The Greeks entered and destroyed the city of Troy, decisively ending the war. Here the beliefs of the people in the city of troy are used by the Greeks to bring down the city fortifications to ease the invading Greek Army.Similarly if we don’t believe in validating the user inputs in an Application there is a chance for the users might trick the application by providing the malicious inputs. So this is a serious security threat in an Application.
Just like SQL Injections Salesforce’s own query language SOQL also faces the similar problem.
Impact on Salesforce Database
Even though the database is different the attacks are similar just like SQL. Consider the SOQL query from one of my previous blogs How to Build a Simple Search Page Using Visualforce
String searchquery= 'SELECT Id FROM account WHERE ' +
'(IsDeleted = false and Name like \'%' + name + '%\')';
acc= Database.query(searchquery);
User Input : test%') OR (Name LIKE '
Then query is modified something like this
String searchquery= 'SELECT Id FROM account WHERE ' +
'(IsDeleted = false and Name '%test%') OR (Name LIKE '%'))';
If you look in to the above line you can see the entire query is modified with three different where clauses. Now the query will just not show the non deleted one’s it will show all the accounts. This is a typical example for a SOQL injection.
Resolution
Usage of proper validations might solve the problem. All the user inputs in the UI have to be validated to check if the input contains special characters such as % ; ‘ etc…
Usage of static queries with dynamic binding of variable might also solve the issue. For example the above query can be modified as follows
String searchquery = '%' + name + '%';
queryResult = [SELECT Id FROM account WHERE
(IsDeleted = false and Name like : searchquery)];
External References:
http://en.wikipedia.org/wiki/SQL_injection https://www.salesforce.com/us/developer/docs/pages/Content/pages_security_tips_soql_injection.htm
Nirmal Christopher Salesforce.com Technical Consultant Global Tech and Resources Inc..,
1 comment:
To prevent SOQL injection, you can also use the escapeSingleQuotes method. Returns a String with the escape character (\) added before any single quotation marks in the String s (adds the escape character (\) to all single quotation marks in a string that is passed in from a user). The method ensures that all single quotation marks are treated as enclosing strings, instead of database commands.
http://salesforce.stackexchange.com/questions/8505/how-to-use-the-escapesinglequotes-method
and
http://www.salesforce.com/us/developer/docs/dbcom_apex250/Content/apex_methods_system_string.htm
Hope that helps!
Brandon
Post a Comment