Reinherd
Reputation: 5506
Do I need to escape strings on Symfony2 with Doctrine queries?
I've this code:
I get some data from a GET request:
$username = $request->get('username');
And then, I use doctrine to check if this username exists or not:
$found = $em->getRepository('Bundle:Users')->findByNick($username);
if ($found){
//nickname in use
} else {
//not found
}
As you can see, I've no String escaping, so the value is directly sent to Doctrine. Is this a security issue? Should it be slashed for security reasons?
Note that I never use RAW queries, just prebuild ones from Doctrine.
Upvotes: 2
Views: 5056
Answers (1)
Reinherd
Reputation: 5506
There's no need to do it with prepared statements.
You can read here:http://docs.doctrine-project.org/projects/doctrine-dbal/en/latest/reference/security.html
And I've tried it out. This is the query generated by Doctrine:
WHERE t0.nick = 'dasdfaf\\' OR 1'
As you can see, several slashes were added.
Upvotes: 4
Related Questions
- Do I need to escape values when using EntityRepository::findBy()?
- How to escape single quotes in Doctrine
- Doctrine Query Builder, how to escape single quote?
- How do you escape ' on doctrine?
- Proper escaping of LIKE queries with Doctrine querybuilder
- Symfony 1.4 Propel: escaping values in custom SQL queries?
- Doctrine2 - Strange behavior for special characters
- SQL injection in Symfony/Doctrine
- Output escaping in Symfony
- mysql_real_escape_string For doctrine (symfony)?