J. Rahmati
Reputation: 783
doctrine 2 orm and sql injection
In doctrine 2, how can I protect against sql injections when using ORM? I found the following page on the doctrine site: http://docs.doctrine-project.org/projects/doctrine-dbal/en/latest/reference/security.html
However that is about dbal and not about ORM.
Is it safe to use things like below assuming that $id is a posted value?
$entityManager->getRepository('Product')->find($id);
Or is it better to create the query instead using named parameters like this:
// DQL Prepared Statements
$dql = "SELECT p FROM Product p WHERE p.id = ?1";
$query = $em->createQuery($dql);
$query->setParameter(1, $_GET['pid']);
$data = $query->getResult();
Please note that I don't seek just a yes or no answer, but whether there is some authoritative documentation that ensures that this is ok.
Upvotes: 4
Views: 6706
Answers (1)
J. Rahmati
Reputation: 783
I found my answer on this page: http://docs.doctrine-project.org/en/latest/reference/security.html#user-input-and-doctrine-orm.
Upvotes: 4
Related Questions
- Does Symfony 2 request object protect against sql injection
- Is Doctrine persist() safe from SQL injection?
- Symfony, Doctrine and passed parameters: of what should have I to take care?
- Best practices on Doctrine and Symfony
- Doctrine 1 allowing SQL Injection?
- SQL injection in Symfony/Doctrine
- Doctrine2 security
- Doctrine and SQL Injection
- Is this little Doctrine2 dynamic SQL enough safe of injection?
- Doctrine2 FindOneBy and SQL Injection