Genuine SOQL Injection issue or False Positive?

If you want to be cautious, you can check that it is an actual field first. Possibly easier to sanitize input than enforce namespace.

public static List<Contact> safeQuery(MyCustomSetting__c setting, String filterValue)
{
    SObjectField field = SObjectType.Contact.fields.getMap.get(settng.Filter_Field__c);
    if (field != null && field.getDescribe().isAccessible()) return Database.query(
        'SELECT Id FROM Contact WHERE ' + String.valueOf(field) + '= : filterValue'
    );
    // "else"
    // return empty collection?
    // throw exception?
    // send email?
}

It could be an SOQL injection issue depending on how the overall application populates the custom setting.

If the user has access to populate the custom setting then they could populate it with a string that would cause SOQL injection.

Best bet would be to just use the proper methods to prevent it.

Although, you would probably get away with an explanation that the value is being queried for and not actually entered but he user. The big difference in this case is that the database itself will not ensure its format like it would if the value was an ID field or something. I have had success with the explanation as long as the value being queried is never populated by a User Interface that could make it an issue


Perhaps this is prevented in your full query, but in the one provided a person can enumerate valid contact IDs, and any which match a custom setting would appear to complete the query, allowing anyone to query the ID and last name of any contact in the setting.

I agree with your main point that this is not vulnerable to injection in the general sense, since the value passsed is not actually put in the query.