Does Doctrine automatically prevent SQL injection?
Is the following code secure?
$user = new Model_User();
$user->name = $_POST['username'];
$user->save();
Asked
Active
Viewed 4,043 times
3
cheesemacfly
- 11,622
- 11
- 53
- 72
peter
- 71
- 1
- 5
2 Answers
4
As far as SQL injection is concerned I think there will be no problem. But you might want to make sure as well that the username is well formed (could for instance be <script>//do somthing bad</script> and that script would for instance be executed when you output that user name somewhere on the site)
Vincent Mimoun-Prat
- 28,208
- 16
- 81
- 124
3
You'll be safe from SQL injection with Doctrine (and any other PDO-based database library) as long as you use bound parameters (Doctrine will be using these under the hood so your example is fine), but you shouldn't ever use input from a client without sanitizing it first. Take a look at PHP's Filter library - in particular the sanitization example. In your case, you'd want to at least validate that the name is a string using FILTER_SANITIZE_STRING "Strip tags, optionally strip or encode special characters.".
Craig
- 2,173
- 1
- 19
- 20