Is your feature request related to a problem? Please describe.
Sometimes we have to write SOQL queries by hand that include parameters from uncontrolled inputs. We need a safe way to execute those, so that we aren't creating SOQL injection vulnerabilities. The risks are lower than with SQL injection because SOQL doesn't have any write capabilities. However, SOQL can still be exploited to exfiltrate sensitive data.
Describe the solution you'd like
Sanitization methods like in ActiveRecord. Something like ActiveRecord::Base.sanitize_sql_for_conditions would cover most cases. And I believe we already have the basic logic in ActiveQuery.where.
Describe alternatives you've considered
- Change the query so that it works with
.where because that already performs sanitization. However, this is not always feasible.
- I've been using the ActiveRecord methods, but obviously we shouldn't have to rely on that as a dependency.
Is your feature request related to a problem? Please describe.
Sometimes we have to write SOQL queries by hand that include parameters from uncontrolled inputs. We need a safe way to execute those, so that we aren't creating SOQL injection vulnerabilities. The risks are lower than with SQL injection because SOQL doesn't have any write capabilities. However, SOQL can still be exploited to exfiltrate sensitive data.
Describe the solution you'd like
Sanitization methods like in ActiveRecord. Something like
ActiveRecord::Base.sanitize_sql_for_conditionswould cover most cases. And I believe we already have the basic logic inActiveQuery.where.Describe alternatives you've considered
.wherebecause that already performs sanitization. However, this is not always feasible.