Should I care about sql injection after user has been authenticated?

Question

Does make sense to check on malicious SQL input from an authenticated user?

Answer

An authenticated user can inject queries that bypasses his security settings if such a query doesn’t enforce security checks on fields/objects. Also if a class is defined as without sharing, a simple where clause addition such as OR id != null into the query can fetch records that he should not be having access to such as salary statements of his colleagues!!

So in conclusion, all queries must be checked for sql injection.

Accepted Answer

An authenticated user can inject queries that bypasses his security settings if such a query doesn&#8217;t enforce security checks on fields/objects.Also if a class is defined as without sharing, a simple where clause addition such as OR id != null into the query can fetch records that he should not be having access to such as salary statements of his colleagues!!So in conclusion, all queries must be checked for sql injection.

Advertisement

Answer