angelique000
Reputation: 909
Is this Doctrine query SQL injection-proof?
I saw this (Symfony) Doctrine query. Is this SQL injection-proof?
$input = $_GET['input'];
$query = $connection->createQueryBuilder();
$query->select('id')->from('table')->where('name = ' . $input); // does Doctrine escape this input?
$statement = $query->execute();
var_dump($statement->fetchAll());
Upvotes: 0
Views: 635
Answers (1)
letibelim
Reputation: 384
It is not. You have to use prepared queries with parameters. Something along thoses lines :
$input = $_GET['input'];
$query = $connection->createQueryBuilder();
$query->select('id')->from('table')->where('name = :input');
$query->setParameter('input', $input)
...
Upvotes: 2
Related Questions
- doctrine 2 orm and sql injection
- Does Symfony 2 request object protect against sql injection
- Is Doctrine persist() safe from SQL injection?
- Doctrine 1 allowing SQL Injection?
- Is this query injection proof?
- SQL injection in Symfony/Doctrine
- Doctrine2 security
- Doctrine and SQL Injection
- Is this SQL query safe from injection?
- Is this little Doctrine2 dynamic SQL enough safe of injection?