4

In doctrine 2, how can I protect against sql injections when using ORM? I found the following page on the doctrine site: http://docs.doctrine-project.org/projects/doctrine-dbal/en/latest/reference/security.html

However that is about dbal and not about ORM.

Is it safe to use things like below assuming that $id is a posted value?

$entityManager->getRepository('Product')->find($id);

Or is it better to create the query instead using named parameters like this:

// DQL Prepared Statements
$dql = "SELECT p FROM Product p WHERE p.id = ?1";
$query = $em->createQuery($dql);
$query->setParameter(1, $_GET['pid']);
$data = $query->getResult();

Please note that I don't seek just a yes or no answer, but whether there is some authoritative documentation that ensures that this is ok.

Improve this question
0

1 Answer 1

Reset to default
4

I found my answer on this page: http://docs.doctrine-project.org/en/latest/reference/security.html#user-input-and-doctrine-orm.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

That page no longer exists. I guess the page you refered to is this: doctrine-project.org/projects/doctrine-orm/en/latest/reference/…

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.