Topic by William Sando
I am calling: this rest endpoint. We are sending in the following query (url encoded). "email" is sent from users, so potentially dangerous.
SELECT *
FROM Contacts
WHERE Contacts.Emails.Address = '`+email+`' LIMIT 1
Do I need to ensure that email is escaped? I.E we are currently allowing user to input a single quote, could this be used maliciously to achieve ROQL injection?