doctrine 2 orm and sql injection

Question

In doctrine 2, how can I protect against sql injections when using ORM? I found the following page on the doctrine site: http://docs.doctrine-project.org/projects/doctrine-dbal/en/latest/reference/security.html

However that is about dbal and not about ORM.

Is it safe to use things like below assuming that $id is a posted value?

$entityManager->getRepository('Product')->find($id);

Or is it better to create the query instead using named parameters like this:

// DQL Prepared Statements
$dql = "SELECT p FROM Product p WHERE p.id = ?1";
$query = $em->createQuery($dql);
$query->setParameter(1, $_GET['pid']);
$data = $query->getResult();

Please note that I don't seek just a yes or no answer, but whether there is some authoritative documentation that ensures that this is ok.

J. Rahmati · Accepted Answer · 2018-04-29T20:27:42.427

4

I found my answer on this page: http://docs.doctrine-project.org/en/latest/reference/security.html#user-input-and-doctrine-orm.

edited Apr 29 '18 at 20:27

answered Mar 17 '14 at 12:23

J. Rahmati

735
10
37

That page no longer exists. I guess the page you refered to is this: https://www.doctrine-project.org/projects/doctrine-orm/en/latest/reference/security.html#security – Nelson Teixeira Apr 17 '18 at 19:00

doctrine 2 orm and sql injection

1 Answers1