Avoid DML statements in constructor

This product is not supported for your selected Datadog site. ().

Metadata

ID: apex-security/csrf-constructor

Language: Apex

Severity: Warning

Category: Security

CWE: 352

Description

Placing DML operations inside an Apex class constructor or initializer can cause unintended side effects. For example, simply loading a Visualforce page or initializing a component could automatically run inserts, updates, or deletes — modifying the database without any explicit user action. This makes the behavior unpredictable and potentially insecure. In contrast, performing SOQL queries in constructors or initializers is allowed, since queries do not modify data.

For example, consider the code below, accessing a page that references AccountHandler will cause a database insert, even if the user didn’t intend to create a record.

public class AccountHandler {
    public AccountHandler() {
        // Dangerous: Just initializing this class will insert a record
        Account acc = new Account(Name = 'Auto Created');
        insert acc; 
    }
}

Non-Compliant Code Examples

public class MyClass {
    public MyClass() {
        insert something;
    }
}

Compliant Code Examples

public class MyClass {
    public MyClass() {
        // anything but a DML statement
    }
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Security

Datadog Code Security