[SalesForce] sforce.connection.query is not working for force.com sites

Iam trying to query records using AJAX Toolkit Javascript API through force.com sites.
But sforce.connection.query not working through sites. The same code working for internal users.
Please find the code snippet below:

function EditRecord(contid) {
        alert('Contact Id::'+contid);
        sforce.connection.sessionId = "{!$Api.Session_ID}"; 
        var result = sforce.connection.query("SELECT Id,FirstName,LastName,Email,Phone FROM Contact where Id='" + contid+ "'"); 
        alert('result::'+result);

    }

Can any one help me on how to access this without sessionId and force.com sites.

Best Answer

This got pushed back up to the home page two years later but... yeah totally not happening. Think about the security implications. You'd have to have a session ID with API access for an unauthenticated guest user, and then anyone malicious would simply be able to type their own query into JavaScript console and search for whatever they want. Any objects they have write access to, they'd be able to just go nuts. If you had to make a certain object readable/writable to accomplish your use case, having a working unauthenticated API would be disastrous.

On the other hand Visualforce Remoting and Visualforce Remote Objects should work fine. But remember that anything you make available in JS can potentially be used maliciously by users so you need to ensure that the server side is not exposing anything that can be abused.

Related Solutions

[SalesForce] Iframe in visualforce page not working for standard sites

Take a look at this : Clickjack protection for Non-Setup Salesforce Pages.

http://docs.releasenotes.salesforce.com/he-il/winter14/release-notes/rn_186_forcecom_cruc_setup_pages.htm

If you had run your critical update by mistake it could be one of the reasons why you are seeing blank pages.

This critical update enables clickjack protection for all non-setup Salesforce pages to protect against user interface redress attacks.

The article in the above reference specifically talks about this issue:

If your organization displays non-setup Salesforce pages within a frame or , it’s possible that the pages will either display as a blank page or without the frame after clickjack protection is enabled. The behavior varies depending on your browser and its version. Although there are reasons to frame pages, framed pages can be used by hackers.

Also the clickjack protection cannot be disabled without contacting support :

In the Spring ’14 release, the ability to disable clickjack protection from the Session Settings page will be removed, so you’ll have to contact salesforce.com Customer Support if you need to disable it. However, disabling clickjack protection is not recommended.

Read more here to know what and how it impacts you ( though much of this was discussed way before this was enabled full scale)

Upcoming "clickjacking" protection

This may be a better guide :

Winter 13 Clickjacking protection - is the following expected or a bug?

[SalesForce] sforce.connection.query is undefined

Before using sforce.connection.query, session ID should be set. Try below code,

<script src="https://code.jquery.com/jquery-1.11.1.min.js"></script>
<script src="/soap/ajax/33.0/connection.js" type="text/javascript"></script>
<script src="/soap/ajax/33.0/apex.js" type="text/javascript"></script>
<script type="text/javascript">
  var jq$ = jQuery.noConflict();
    jq$(document).ready(function() {                         
        try{
            sforce.connection.sessionId = ‘{!$Api.Session_ID}’;
            var qr = sforce.connection.query("Select Id, Name From account");
            alert('I am here');
            var records = qr.getArray("records");
            alert(records.length);
         }
        catch(err){
            alert(err.message);
        }
    });
</script>

Best Answer

Related Solutions

[SalesForce] Iframe in visualforce page not working for standard sites

[SalesForce] sforce.connection.query is undefined

Related Topic