Parameterized Search Query (prevent SOQL Injection)

[sughodke]

Salesforce has a REST API to search for a resource using parameterized variables, parameterizedSearch.

https://developer.salesforce.com/docs/atlas.en-us.api_rest.meta/api_rest/resources_search_parameterized.htm

This would really help in safeguarding against injection attacks -- as in this contrived example below. Where route.id could be written in a malicious way.

    // Perform another account query
    let accountRecordUpdated = await query(
      `SELECT Id, Name, SLA__c FROM Account WHERE Id = '${route.id}'`,
      oauth
    )

Alternatively, SOQL seems to have "bind variables" for static queries. See https://trailhead.salesforce.com/en/content/learn/modules/secdev_injection_vulnerabilities/secdev_inject_prevent_soql_injection?trail_id=security_developer

[kevinohara80]

Yes, it's currently up to a user to safeguard queries. Parameterized search works for search but Query would require another solution.

I'm currently working on a brand new version of nforce and this is something I may tackle.

I'm a fan of the way node-postgres does it and may implement something similar. https://node-postgres.com/features/queries#parameterized-query