To create a dynamic SOQL query at run time, use the database query method. Check the reference link for more details.
To create a dynamic SOSL query at run time, use the search query method. For example:
To prevent SOSL injection, use the
References:
http://metillium.com/2016/03/variable-binding-in-dynamic-soql/
List<sObject> sobjList = Database.query(string);
To create a dynamic SOSL query at run time, use the search query method. For example:
String searchquery = 'FIND \'Edge*\' IN ALL FIELDS RETURNING Account(Id, Name), Contact, Lead';
List<List<SObject>>searchList = search.query(searchquery);
To prevent SOSL injection, use the
escapeSingleQuotes
method. This method adds the escape character (\) to all single quotation marks in a string that is passed in from a user. The method ensures that all single quotation marks are treated as enclosing strings, instead of database commands.fieldList = (fieldList!=null) ? String.escapeSingleQuotes(fieldList) : fieldList;
References:
http://metillium.com/2016/03/variable-binding-in-dynamic-soql/