user1200536
Reputation: 17
Doctrine2 FindOneBy and SQL Injection
Is this code (in Doctrine2) secured against SQL injection? Or should be $_GET['value'] sanitized?
$ret = $entityManager->getRepository('SomeEntity')->findOneBy(array('ID' => $_GET['value']));
Thank you
Upvotes: 1
Views: 2169
Answers (1)
PatrikAkerstrand
Reputation: 45721
It is secured from SQL-injection. You can find look at the source to find this out, the relevant code is in the Doctrine\ORM\Persisters-namespace, as well as Doctrine\ORM\EntityRepository and Doctrine\ORM\UnitOfWork.
Your criteria is converted into placeholders, which is also the recommended way of writing your own queries to protect against SQL-injection.
Upvotes: 5
Related Questions
- Symfony findOneBy / findBy
- Doctrine findBy 'does not equal'
- Why findOneBy returns null instead of a result?
- Doctrine findOneBy method not working
- Doctrine 2, undefined entity method findOneBy*
- Doctrine 2 findBy* return object
- Doctrine2 findOneBy returning wrong result
- doctrine2 oracle querying with methods find, does not work
- Using doctrine findBy method
- SQL injection in Symfony/Doctrine