You're almost there! Please answer a few more questions for access to the Applications content. Complete registration
Interested in joining? Complete your registration by providing Areas of Interest here. Register

Is ROQL injection possible with single quote?

Received Response
13
Views
4
Comments
edited Feb 21, 2018 11:46AM in Integrations and APIs 4 comments

Content

I am calling: this rest endpoint. We are sending in the following query (url encoded). "email" is sent from users, so potentially dangerous.

SELECT *
FROM Contacts
WHERE Contacts.Emails.Address = '`+email+`' LIMIT 1

Do I need to ensure that email is escaped? I.E we are currently allowing user to input a single quote, could this be used maliciously to achieve ROQL injection?

Howdy, Stranger!

Log In

To view full details, sign in.

Register

Don't have an account? Click here to get started!