Re: [doctrine-user] security of Expr\Literal

[craigh]

I appreciate the feedback. I've changed it to use parameters - see below. 
Any other suggestions?

    /**
     * Construct a QueryBuilder Where orX|andX Expr instance
     *
     * @param QueryBuilder $qb
     * @param array $words the words to query for
     * @param array $fields
     * @param string $searchtype AND|OR|EXACT
     * @return null|\Doctrine\ORM\Query\Expr\Composite
     */
    public function formatWhere(QueryBuilder $qb, array $words, array 
$fields, $searchtype = 'AND')
    {
        if (empty($words) || empty($fields)) {
            return null;
        }
        $method = ($searchtype == 'OR') ? 'orX' : 'andX';
        /** @var $where \Doctrine\ORM\Query\Expr\Composite */
        $where = $qb->expr()->$method();
        $i = 1;
        foreach ($words as $word) {
            $subWhere = $qb->expr()->orX();
            foreach ($fields as $field) {
                $expr = $qb->expr()->like($field, "?$i");
                $subWhere->add($expr);
                $qb->setParameter($i, '%' . $word . '%');
                $i++;
            }
            $where->add($subWhere);
        }

        return $where;
    }


On Wednesday, March 5, 2014 8:09:43 PM UTC-5, Marco Pivetta wrote:
>
> No, this is NOT secure.
>
> Use a parameter: $qb->andWhere($qb->expr()->like($field, 
> ':word'))->setParameter('word', '%' . $word . '%');
>
> String concatenation has to be ALWAYS avoided
>
> Marco Pivetta 
>
> http://twitter.com/Ocramius      
>
> http://ocramius.github.com/
>
>
> On 6 March 2014 01:17, craigh <heyde...@gmail.com <javascript:>> wrote:
>
>> consider
>>
>> $qb->expr()->like($field, $qb->expr()->literal('%' . $word . '%'));
>>
>> where $word is from user input
>>
>> Is this safe/secure?
>>
>> I know using parameter binding would be preferred, but for the sake of 
>> argument, let's say that's not available in this context.... ;-)
>>  
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "doctrine-user" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to doctrine-use...@googlegroups.com <javascript:>.
>> To post to this group, send email to doctri...@googlegroups.com<javascript:>
>> .
>> Visit this group at http://groups.google.com/group/doctrine-user.
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"doctrine-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to doctrine-user+unsubscr...@googlegroups.com.
To post to this group, send email to doctrine-user@googlegroups.com.
Visit this group at http://groups.google.com/group/doctrine-user.
For more options, visit https://groups.google.com/groups/opt_out.