Parameter tampering issue

Question

How to use String.escapeSinglequotes for the below syntax.

Id clientId = (id)inputMap.get('ClientId')

I used like this:

Id clientId = String.escapeSinglequotes((id)inputMap.get('ClientId'));
Account a= [Select Id, Client__c, ParentId, Parent.RecordType.DeveloperName,CI_ClientID__c 
             from Account where Id = :clientId limit 1000]

but its not working.

error is : Method invokeMethod gets user input from element inputmap. This input is later concatenated by the application directly into a string variable containing SQL commands, without being validated. This string is then used in method to query the database select, at line 55 without any additional filtering by the database. This could allow the user to tamper with the filter parameter.

Id type cannot have single (or double) quotes, only alphanumeric characters, so even if it worked, it would be useless. It seems an XY problem. Could you please tell us why you're trying to escape single quotes from an Id? Providing the actual code without altering it, as well as the error message verbatim (if any) would help. — RubenDG, Aug 17 '23 at 13:15
Using static queries with bind variables is the best way to prevent SOQL Injection. If that warning message is triggered by that query, you could ignore it. By the way, there is a trailhead about SOQL Injection. P.S. do not add code and error message as comment, you should edit the question. — RubenDG, Aug 17 '23 at 13:25
Is this an error from Checkmarx? If so, report it as a false positive pointing out the static query with bind variabile. — RubenDG, Aug 17 '23 at 16:55

score 0 · Answer 1 · answered Aug 17 '23 at 13:09

0

You don't need it. Casting to an Id results in either a value you can use directly or a StringException. Any string that has a quote in it will not cast to an Id, as Id values cannot contain quotes.

answered Aug 17 '23 at 13:09

sfdcfox

489,769
21
458
806

i updated the question. can u check – SSV Aug 17 '23 at 15:15

Parameter tampering issue

1 Answers1