Salesforce Certified Platform Developer II — Question 127

Which statement is true regarding the use of user input as part of a dynamic SOQL query?

Answer options

• A. Free text input should not be allowed, to avoid SOQL injection
• B. The String.format() method should be used to prevent injection
• C. Quotes should be escaped to protect against SOQL injection
• D. The string should be URL encoded by the input form to prevent errors

Correct answer: C

Explanation

The correct answer is C because escaping quotes is essential for preventing SOQL injection attacks. Option A is incorrect because some user input may be necessary; B is misleading as String.format() does not prevent injection; D does not directly address injection concerns, making it less relevant.