[SalesForce] How to use String.escapeSingleQuote method

Please let me know. Is below the code in proper way of using String.singleEscapeQuotes. I am using singleEscapeQuotes for security purpose.

Before use:

string strValue = '';
strValue =  string.valueof(contactDesc.get('Description'));
if (strValue != null  && strValue.contains('Summary Description')) {
//logic
}

public customWrapper(Id accId){
String auQuery = 'Select Id, Name' + cuFields + ' From Account Where Id =: accId';
accMap = new Map < Id, Account > (getAccData(Database.query((auQuery)));
}

After use:

string strValue = '';
strValue =  string.valueof(contactDesc.get('Description'));
if (String.escapeSingleQuotes(strValue) != null  && String.escapeSingleQuotes(strValue).contains('Summary Description')) {
//logic
}


public customWrapper(Id accId){
String auQuery = 'Select Id, Name' + cuFields + ' From Account Where Id =: accId';
accMap = new Map < Id, Account > (getAccData(Database.query(String.escapeSingleQuotes(auQuery))));
}

Best Answer

No.

You need to be concerned about SOQL injection in dynamically constructed SOQL queries that can include user input. (See the linked Trailhead module for lots of details). The vulnerability is typically in a dynamic WHERE clause, which you don't have here; however, at minimum to stop static analyzers from claiming you have an injection vulnerability, what you should be escaping is cuFields - the text you dynamically add to your SOQL query.

Database.query(String.escapeSingleQuotes(auQuery))

This doesn't do anything here because your query doesn't contain any single quotes. If you had a WHERE clause that included legitimate single quotes, this would break your query.

if (String.escapeSingleQuotes(strValue) != null  && String.escapeSingleQuotes(strValue).contains('Summary Description')) {

There is no need to perform quote escaping prior to running string comparisons.

Related Topic