This is mentioned in the security notes: http://docs.doctrine-project.org/en/latest/reference/security.html
You are *NOT* save from SQL injection when using user input with: - Expression API of Doctrine\ORM\QueryBuilder On Thu, Mar 6, 2014 at 2:09 AM, Marco Pivetta <[email protected]> wrote: > No, this is NOT secure. > > Use a parameter: $qb->andWhere($qb->expr()->like($field, > ':word'))->setParameter('word', '%' . $word . '%'); > > String concatenation has to be ALWAYS avoided > > Marco Pivetta > > http://twitter.com/Ocramius > > http://ocramius.github.com/ > > > On 6 March 2014 01:17, craigh <[email protected]> wrote: > >> consider >> >> $qb->expr()->like($field, $qb->expr()->literal('%' . $word . '%')); >> >> where $word is from user input >> >> Is this safe/secure? >> >> I know using parameter binding would be preferred, but for the sake of >> argument, let's say that's not available in this context.... ;-) >> >> -- >> You received this message because you are subscribed to the Google Groups >> "doctrine-user" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To post to this group, send email to [email protected]. >> Visit this group at http://groups.google.com/group/doctrine-user. >> For more options, visit https://groups.google.com/groups/opt_out. >> > > -- > You received this message because you are subscribed to the Google Groups > "doctrine-user" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/doctrine-user. > For more options, visit https://groups.google.com/groups/opt_out. > -- You received this message because you are subscribed to the Google Groups "doctrine-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/doctrine-user. For more options, visit https://groups.google.com/groups/opt_out.
