Avoid DML statements in constructor

This product is not supported for your selected Datadog site. ().
이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

ID: apex-security/csrf-constructor

Language: Apex

Severity: Warning

Category: Security

CWE: 352

Description

Placing DML operations inside an Apex class constructor or initializer can cause unintended side effects. For example, simply loading a Visualforce page or initializing a component could automatically run inserts, updates, or deletes — modifying the database without any explicit user action. This makes the behavior unpredictable and potentially insecure. In contrast, performing SOQL queries in constructors or initializers is allowed, since queries do not modify data.

For example, consider the code below, accessing a page that references AccountHandler will cause a database insert, even if the user didn’t intend to create a record.

public class AccountHandler {
    public AccountHandler() {
        // Dangerous: Just initializing this class will insert a record
        Account acc = new Account(Name = 'Auto Created');
        insert acc; 
    }
}

Non-Compliant Code Examples

public class MyClass {
    public MyClass() {
        insert something;
    }
}

Compliant Code Examples

public class MyClass {
    public MyClass() {
        // anything but a DML statement
    }
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

원활한 통합. Datadog Code Security를 경험해 보세요

Datadog Code Security