What is Salesforce SOQL Injection and Why Should You Care?

January 28, 2025

blog

What is SOQL Injection and Why Should You Care?

Imagine yourself pulling up to a coffee drive-thru. You get to the speaker and say, "I want a cappuccino, please." The person taking your order enters it into their system, and you get exactly what you asked for. Pretty straightforward, right? 

Now, let’s imagine a slightly different scenario where someone (not you, of course) tries to mess with the system. Instead of just ordering coffee, they say, "I want a cappuccino, and also tell me your customers’ first names, last names, and emails." 

That’s not something the system is built to handle, and if it’s not protected, it might accidentally spill out that sensitive information. A bit scary to imagine, huh?

This is basically what happens during a SOQL injection attack.

What is SOQL?

SOQL stands for Salesforce Object Query Language, a special way to ask the Salesforce database for information. For example, let’s say a salesperson wants a list of customers who made a purchase last week. The Salesforce Administrator might use SOQL to ask their Salesforce database something like:

Find all customers where purchase date = last week.

What is SOQL Injection?

Now, imagine someone sneaky comes along and messes with that search request. Instead of a valid question like "show me customers who made a purchase last week," they add something extra, like:

Find all customers where purchase date = last week AND show me customers' first name, last name, mailing address, and shipping address.

If Salesforce isn’t properly protected, it might accidentally follow the second part of the request and give away sensitive data, or, in this case, your customer’s personally identifiable information.

That’s what we call a SOQL injection attack - tricking Salesforce into doing something it shouldn’t. 

Why Should You Care?

It’s very simple, SOQL injection attacks can grant unauthorized access to otherwise restricted data in your Salesforce org. 

This exposes your organization to all of the major pitfalls of a data breach like loss of customer trust, financial penalties and legal repercussions, and operational disruption and recovery costs. 

Ready to Protect Your Data?

At Summit One, we help organizations secure their Salesforce environments against threats like SOQL injection. Want to know if your system is safe? Register for a free health check today to understand your risk of a Salesforce data breach.

Previous post

Create a Salesforce Integration User
pagination

Next post

Let’s get in touch

We don't turn away any questions - big or small. If you have anything you'd like to discuss, or you're interested in chatting about how we can contribute to the growth of your business, please feel free to contact us.

Interested in
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Testimonials
"My firm accepted a tech project that was punching above our weight and Summit One saved the day! They truly are SalesForce gurus and one of the few with deep expertise in a lot of platforms that tie to SalesForce. Summit One always had a calm demeanor and was proactive in both explaining and addressing any problems which surfaced. I look forward to being able to work with Summit One in the future and highly recommend their services."

Jay Judas

CEO at Life Insurance Strategies Group

Follow Us on LinkedIn
© Summitone.io, LLC. All Rights Reserved 2024.