Dynamic SOQL Queries packages and security

For managed packaged development dynamic SOQL queries assist developers with creating soql queries on the fly without hard coding field names which may not be there in all orgs. When you install an managed package you may run into trouble is some fields do not exist. This is why dynamic SOQL queries can be beneficial by using the schema describe objects. The code below can help any developer to retrieve the fields from any object by providing the object name. From that you can build a dynamic soql query and also define the data type for each field. Be careful when using Dynamic SOQL queries as it can be prone to SOQL injection attacks. Make sure your return type is static and final.

Return the Schema.SObjectType for the specific Object’s ID we provide

public static Schema.SObjectType getObjectSchema(String objectSObjectName)
        if (sobjectSchemaMap.isEmpty())

        return sobjectSchemaMap.get(objectSObjectName);

SchemaMap() method to return the Schema Map for your organization.

private static Map<String, Schema.SObjectType> sobjectSchemaMap;
public static Map getSchemaMap()
        return sobjectSchemaMap == null ? Schema.getGlobalDescribe() : sobjectSchemaMap;

Dynamically creating the SOQL Query when we have the queryFields, Object and Id.

private String query;
public String buildQueryAllString(List queryFields,DescribeSObjectResult obj, String theId)
        query = QUERY_SELECT_STATEMENT[0];
        for(Schema.DescribeFieldResult dfr : queryFields)
            query = query + dfr.getName() + ',';

        query = query.subString(0,query.length() - 1);
        query = query + QUERY_SELECT_STATEMENT[1];
        query = query + obj.getName();
        query = query + QUERY_SELECT_STATEMENT[2];
        query = query + theId + '\'';
        return query;

Putting it all together:
1. We provide and Record ID.
2. find the SObject for the ID provided.
3. Get the SObject Fields for the SObject
4. Create a SOQL Query
5. Run the SOQL Query to retrieve information.

public SObject processSchemaInfo(String id)
        schemaMap = DynamicSOQL.getSchemaMap();
        sobjects = schemaMap.values();

        Schema.DescribeSObjectResult objDescribe;
        List tempFields;

        buildQuery = '';
        fields = new List();

        for(Schema.SObjectType objType : sobjects)
            objDescribe = objType.getDescribe(); 
            String sobjectPrefix = objDescribe.getKeyPrefix();
            if(id != null && sobjectPrefix != null && id.startsWith(sobjectPrefix))
                objectType = objDescribe.getLocalName();
                Map<String, Schema.SObjectField> fieldMap = objDescribe.fields.getMap();
                tempFields = fieldMap.values();
                for(Schema.SObjectField sof : tempFields)
                buildQuery = buildQueryAllString(fields,objDescribe,id);

        return  Database.query(buildQuery);
       catch(Exception ex)
       		return null;

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s