Please let me know. Is below the code in proper way of using String.singleEscapeQuotes. I am using singleEscapeQuotes for security purpose.
Before use:
string strValue = '';
strValue = string.valueof(contactDesc.get('Description'));
if (strValue != null && strValue.contains('Summary Description')) {
//logic
}
public customWrapper(Id accId){
String auQuery = 'Select Id, Name' + cuFields + ' From Account Where Id =: accId';
accMap = new Map < Id, Account > (getAccData(Database.query((auQuery)));
}
After use:
string strValue = '';
strValue = string.valueof(contactDesc.get('Description'));
if (String.escapeSingleQuotes(strValue) != null && String.escapeSingleQuotes(strValue).contains('Summary Description')) {
//logic
}
public customWrapper(Id accId){
String auQuery = 'Select Id, Name' + cuFields + ' From Account Where Id =: accId';
accMap = new Map < Id, Account > (getAccData(Database.query(String.escapeSingleQuotes(auQuery))));
}
Best Answer
No.
You need to be concerned about SOQL injection in dynamically constructed SOQL queries that can include user input. (See the linked Trailhead module for lots of details). The vulnerability is typically in a dynamic
WHERE
clause, which you don't have here; however, at minimum to stop static analyzers from claiming you have an injection vulnerability, what you should be escaping iscuFields
- the text you dynamically add to your SOQL query.This doesn't do anything here because your query doesn't contain any single quotes. If you had a
WHERE
clause that included legitimate single quotes, this would break your query.There is no need to perform quote escaping prior to running string comparisons.