In security scan am getting error as "SOQL Injection Vulnerability" and also the note as "The query is user controllable"
string query = 'SELECT '+ queryFields +' From '+MFNameSpaceUtil.PrependNS('MobiForm_Field__c')+' WHERE ';
return query;
This is my query and doesn't have any idea what would cause the SOQL injection here. Any suggestions will be helpful
Best Answer
Long Story:
Quoting examples from apex documentation:
To fix this you can either use static SOQL and re-write your SOQL as below
To prevent a SOQL injection attack, avoid using dynamic SOQL queries. Instead, use static queries and binding variables. The vulnerable example above can be re-written using static SOQL as follows:
For dynamic SOQL use
String strEsc = String.escapeSingleQuotes(str);
//str is your searchspec from UIFor your use case:
You seem to be constructing the SOQL dynamically. your issue could be with your where clause if the bind variable for it comes from UI.