Avoid DML statements in constructor

Docs > Plateforme de sécurité Datadog > Code Security > Static Code Analysis (SAST) > Règles SAST > Avoid DML statements in constructor

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

ID: apex-security/csrf-constructor

Language: Apex

Severity: Warning

Category: Security

CWE: 352

Description

Placing DML operations inside an Apex class constructor or initializer can cause unintended side effects. For example, simply loading a Visualforce page or initializing a component could automatically run inserts, updates, or deletes — modifying the database without any explicit user action. This makes the behavior unpredictable and potentially insecure. In contrast, performing SOQL queries in constructors or initializers is allowed, since queries do not modify data.

For example, consider the code below, accessing a page that references AccountHandler will cause a database insert, even if the user didn’t intend to create a record.

public class AccountHandler {
    public AccountHandler() {
        // Dangerous: Just initializing this class will insert a record
        Account acc = new Account(Name = 'Auto Created');
        insert acc; 
    }
}

Non-Compliant Code Examples

public class MyClass {
    public MyClass() {
        insert something;
    }
}

Compliant Code Examples

public class MyClass {
    public MyClass() {
        // anything but a DML statement
    }
}