salesforce_security_impl_guide
salesforce_security_impl_guide
salesforce_security_impl_guide
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Security Tips for Apex and Visualforce Development<br />
Data Access Control<br />
}<br />
}<br />
This is a very s<strong>impl</strong>e example but illustrates the logic. The code is intended to search for contacts that have not been deleted. The user<br />
provides one input value called name . The value can be anything provided by the user and it is never validated. The SOQL query is built<br />
dynamically and then executed with the Database.query method. If the user provides a legitimate value, the statement executes<br />
as expected:<br />
// User supplied value: name = Bob<br />
// Query string<br />
SELECT Id FROM Contact WHERE (IsDeleted = false and Name like '%Bob%')<br />
However, what if the user provides unexpected input, such as:<br />
// User supplied value for name: test%') OR (Name LIKE '<br />
In that case, the query string becomes:<br />
SELECT Id FROM Contact WHERE (IsDeleted = false AND Name LIKE '%test%') OR (Name LIKE '%')<br />
Now the results show all contacts, not just the non-deleted ones. A SOQL Injection flaw can be used to modify the intended logic of any<br />
vulnerable query.<br />
SOQL Injection Defenses<br />
To prevent a SOQL injection attack, avoid using dynamic SOQL queries. Instead, use static queries and binding variables. The vulnerable<br />
example above can be re-written using static SOQL as follows:<br />
public class SOQLController {<br />
public String name {<br />
get { return name;}<br />
set { name = value;}<br />
}<br />
public PageReference query() {<br />
String queryName = '%' + name + '%';<br />
queryResult = [SELECT Id FROM Contact WHERE<br />
(IsDeleted = false and Name like :queryName)];<br />
return null;<br />
}<br />
}<br />
If you must use dynamic SOQL, use the escapeSingleQuotes method to sanitize user-supplied input. This method adds the<br />
escape character (\) to all single quotation marks in a string that is passed in from a user. The method ensures that all single quotation<br />
marks are treated as enclosing strings, instead of database commands.<br />
Data Access Control<br />
The Force.com platform makes extensive use of data sharing rules. Each object has permissions and may have sharing settings for which<br />
users can read, create, edit, and delete. These settings are enforced when using all standard controllers.<br />
When using an Apex class, the built-in user permissions and field-level <strong>security</strong> restrictions are not respected during execution. The<br />
default behavior is that an Apex class has the ability to read and update all data within the organization. Because these rules are not<br />
enforced, developers who use Apex must take care that they do not inadvertently expose sensitive data that would normally be hidden<br />
105