No, this is NOT secure.
Use a parameter: $qb->andWhere($qb->expr()->like($field,
':word'))->setParameter('word', '%' . $word . '%');
String concatenation has to be ALWAYS avoided
Marco Pivetta
http://twitter.com/Ocramius
http://ocramius.github.com/
On 6 March 2014 01:17, craigh <[email protected]> wrote:
> consider
>
> $qb->expr()->like($field, $qb->expr()->literal('%' . $word . '%'));
>
> where $word is from user input
>
> Is this safe/secure?
>
> I know using parameter binding would be preferred, but for the sake of
> argument, let's say that's not available in this context.... ;-)
>
> --
> You received this message because you are subscribed to the Google Groups
> "doctrine-user" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To post to this group, send email to [email protected].
> Visit this group at http://groups.google.com/group/doctrine-user.
> For more options, visit https://groups.google.com/groups/opt_out.
>
--
You received this message because you are subscribed to the Google Groups
"doctrine-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/doctrine-user.
For more options, visit https://groups.google.com/groups/opt_out.
