版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/itsme_web/article/details/81978647
【前言】:Salesforce使用soql代替sql作为查询语言,是因为soql更简单,功能限制更多,所以soql注入的风险比sql注入小。但并不能说soql就没有注入风险。
【防注入策略】:
1. 使用静态查询代替动态查询;
静态查询:[SELECT Id, Name FROM Account WHERE Name = :name];
动态查询:Database.query('select id, name from account where name like '\%' + name + '%\'');
2. 若必须使用动态查询,使用escapeSingleQuotes方法将所有包含转译字符的输入参数视为字符串;
【实例分析】:
风险代码:
<apex:page controller="SOQLController" >
<apex:form>
<apex:outputText value="Enter Name" />
<apex:inputText value="{!name}" />
<apex:commandButton value="Query" action="{!query}“ />
</apex:form>
</apex:page>
public class SOQLController {
public String name {
get { return name;}
set { name = value;}
}
public PageReference query() {
String qryString = 'SELECT Id FROM Contact WHERE ' +
'(IsDeleted = false and Name like \'%' + name + '%\')';
queryResult = Database.query(qryString);
return null;
}
}
正常输入:
// User supplied value: name = Bob
// Query string
SELECT Id FROM Contact WHERE (IsDeleted = false and Name like '%Bob%')
soql注入:
// User supplied value for name: test%') OR (Name LIKE '
SELECT Id FROM Contact WHERE (IsDeleted = false AND Name LIKE '%test%') OR (Name LIKE '%')
【参考文献】:SOQL Injection