1. Use Bind variable instead of dynamic query and use static query
ex:
String searchText = '%'+Name+'%';
[SELECT Id, Name,Type,Rating,Phone,Active__c FROM Account where Name Like :searchText];
2. Use escapeSingleQuotes method to sanitize user-supplied input
ex :
String query = 'SELECT Id, Name,Type,Rating,Phone,Active__c FROM Account where Name Like
\'%'+String.escapeSingleQuotes(Name)+'%\' ';
List<Account> res = Database.query(query);
3.WITH SECURITY ENFORCED
ex:
String searchText = '%'+Name+'%';
return [SELECT Id, Name,Type,Rating,Phone,Active__c FROM Account where Name Like :searchText
WITH SECURITY_ENFORCED];
No comments:
Post a Comment