Syntax is wrong.
Either use this way :-
Set<Id> sId = new Set<Id>();
OR
Set<Id> sId = new Set<Id>{'a0df000000063A9AAI','a0df00000006P2cAAE'};
// no need to use '+sid;
String squery = 'SELECT Id, Name FROM Engagement__c WHERE Id IN:sId';
// else is correct
List<Engagement__c> lst = database.query(squery);
System.debug('----list size:'+lst.size());
Why it cannot be +sId?
Using this approach will lead to wrong SOQL syntax. For ex:
Query String will become:
SELECT Id, Name FROM Engagement__c WHERE Id IN:{a0df000000063A9AAI,a0df00000006P2cAAE}
which is a wrong syntax for SOQL query.
There's really no reason that you need to do all that fancy footwork. You can just trust the system to tell you what you need to know. Here's an implementation that I whipped up for you:
public class Utils {
static Boolean validId(String recordIdString) {
try {
Id recordId = (Id)recordIdString;
String sobjectName = String.valueOf(recordId.getSObjectType());
return Database.countQuery('SELECT COUNT() FROM '+sobjectName+' WHERE Id = :recordId') > 0;
} catch(Exception e) {
return false;
}
}
}
I've also posted this as a gist.
The try-catch block will catch the TypeException if it's not a valid Id (from the cast), or a NullPointerException if it's a null Id, and possibly a QueryException if the Id points to an object that can't be queried (rare, but they are there).
I'm pretty sure that even the automated scanner won't give you a red flag for this code, but even if it did, a simple review should clearly identify that no injection is possible as long as it's used in the appropriate sharing context; user-facing code should be "with sharing" to prevent leaking Id values they should't know about.
You can actually do this without a try-catch as well:
static Boolean validId(String recordIdString) {
return recordIdString instanceOf Id &&
Id.valueOf(recordIdString).getSObjectType().getDescribe().isQueryable() &&
0 < Database.countQuery(
'SELECT COUNT() FROM '+
String.valueOf(Id.valueOf(recordIdString).getSObjectType())+
' WHERE Id = :recordIdString');
}
}
I find this to be a little less readable, but is Exception-free and probably better for performance.
Note: Id.valueOf is broken in older versions of the API, so make sure you're using a recent version of the API for your class (e.g. version 37.0).
Best Answer
Your query in for loop is correct
Use soql same in system debug as well
Here I can see you are using soql inside for loop. I guess the above list
objAPINames. it will contain only few sobject so it should not hit the soql governer limitsUpdates
Another issue in for loop soql, before where you need to give space