SOQL Injection in Apex Salesforce

An SOQL Injection in Apex is computer attack to steal data from your database. Hence this is important to prevent SOQL Injection in Apex while writing query to select data from database. In Apex you can write Select query in two ways.
1. Inside brackets like [].

Example:- If you want to get all contact where name end with xyz. Then your select query will be like

String likeStr='%xyz';

List<Contact> conList = [Select Id,FirstName,LastName from Contact Where name like : likeStr];
System.debug(conList);

In this type of query Salesforce by default apply SOQL Injection. We do not required to explicit write extra code for SOQL Injection in Apex class
OUTPUT

(Contact:{Id=0037djdddkdkdkdk, FirstName=Andy, LastName=xyz})

2. Database.query() or Database.countQuery().

Example:- If you want to get all contact where name end with xyz. Then your select query will be like

String likeStr='%xyz';

List<Contact> conList = Database.query('Select Id,FirstName,LastName from Contact Where name like \''+String.escapeSingleQuotes(likeStr)+'\'');

System.debug(conList);

Note:

Focus on dynamic query which are build by concatenate multiple string and use Escaping Single Quotes for all variable used in query. For escaping single quotes use simple static method of String class(String.escapeSingleQuotes(variableName)).

FLS Check in Apex Class

In an apex class you should check Field Level Security. Most of us do not check. This is best practice to explicitly check security before any database statement like SELECT, INSERT, UPDATE AND DELETE. If you create an app to for AppeExchange then it is must for your app. For example if a user have access to read all contact but not able to create or modify record. So you also have to check is logged in user able to create or update record in your apex class.

Learning FLS in apex class by steps

1. Check for Object is accessible or not means if you want to get account name and phone. Then your should be like

if(Schema.SObjectType.Account.isAccessible()) // Object Accessibility 
{
   //Fields Accessibility
   if(Schema.SObjectType.Account.Fields.Name.isAccessible() && Schema.SObjectType.Account.Fields.Phone.isAccessible())
   {
        List<Account> accList = [Select Name,Phone from Account Limit 1];
   }
}

2. Check create permission if you want to insert account record.

if(Schema.SObjectType.Account.isCreateable()) // Object Accessibility 
{ 
    //Fields Accessibility 
    if(Schema.SObjectType.Account.Fields.Name.isCreateable() && Schema.SObjectType.Account.Fields.Phone.isCreateable()) 
    { 
          Account accObj = new Account(Name='Test',Phone='1234567890');
    } 
}

NOTE 1: Do not write SOQL query without LIMIT or Where Clause.
In your SOQL query write where clause like [Select id from contact where name =’test’].
[Select id from contact LIMIT 1];

Generic Code to Insert Record in Object Salesforce

// Get object type by passing object name
Schema.SObjectType objType = Schema.getGlobalDescribe().get(objectName);

// Create instance of sObject
sObject genericObj = objType.newSObject();

//Set fieldValue for each fields, you want to set
//@param:fieldApiName must be of String type
//@param:fieldValue of any data type value
genericObj.put(fieldApiName,fieldValue);

//Insert record by Insert statement
Database.insert(genericObj, true);