I have send my code for security review I am getting error for SOQL/SOSL Injection. I have made the changes on the bases they have mention in report. But even I am getting issue with dynamic soql I am doing in my code. My updated code :
string userId = String.escapeSingleQuotes(UserInfo.getUserId());
String queryString = 'Select Conference_Call__c,Conference_Call_Info_Details__c,Meeting_Date__c,Id,Meeting_Id__c,StartDateTime__c,EndDateTime__c,Subject__c,Type__c,Conference_Call_Info__c from GoTo_Meeting__c where OwnerId= :userId';
if(optionSelected == 'Meeting History')
queryString +=' and StartDateTime__c < Today';
else if(optionSelected == 'Upcoming Meetings')
queryString +=' and StartDateTime__c > Today';
else
queryString +=' and StartDateTime__c = ' +optionSelected;
queryString += ' order By ' + sortFullExp;
queryString += ' Limit 1000';
eventList = database.query(queryString);
security review is displaying the SOQL/SOSL Injection error on eventList = database.query(queryString);
Can anyone please help me to solve this issue.
Best Answer
Dynamic SOQL will not pass the security review. Your code is pretty safe because the end user has no possible way of injecting anything into the query.
From here
You will need to call
escapeSingleQuotes
on the entire query string. The security scanner is not smart enough to know that you have already called it on the only variable that can change in your query. You should be doing this: