[SalesForce] Sanitize a string before injecting it into SOSL

Is there a way through the .net framework or some other package to sanitize strings so that they can be safely used in sosl? Is there any larger standard that SOSL falls under?

I was able to find How to pass a variable to the SOQL where clause? and Escaping reserverved characters in SOSL queries, but they both deal with solving specific cases rather than a general solution.

I would prefer not to roll my own solution.

Best Answer

From Dynamic SOSL - SOSL Injection:

SOSL injection is a technique by which a user causes your application to execute database methods you did not intend by passing SOSL statements into your code. This can occur in Apex code whenever your application relies on end user input to construct a dynamic SOSL statement and you do not handle the input properly.

To prevent SOSL injection, use the escapeSingleQuotes method. This method adds the escape character (\) to all single quotation marks in a string that is passed in from a user. The method ensures that all single quotation marks are treated as enclosing strings, instead of database commands.

Based on that is should be sufficient to escape any single quote characters in the user based input before merging it with your dynamic SOSL.

Related Topic