Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
N
N
Never Ever2021-10-08 12:28:19
symfony
Never Ever, 2021-10-08 12:28:19

Does expr()->literal() protect against SQL injection?

They make a filter and have doubts about such a decision. Is SQL injection possible? If so, how to solve.

$orStatements = $this->queryBuilder->expr()->orX();
foreach ($result as $value) {
    $orStatements->add(
        $this->queryBuilder->expr()->like('table.column', $this->queryBuilder->expr()->literal('%' . $value . '%'))
    );
}
$this->queryBuilder->andWhere($orStatements);

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
S
sl0, 2021-10-08
@sl0

https://www.doctrine-project.org/projects/doctrine...
You are NOT safe from SQL injection when using user input with:
Expression API of Doctrine\ORM\QueryBuilder
Concatenating user input into DQL SELECT, UPDATE or DELETE statements or Native SQL.

Similar questions
S
Strate2012-06-07 23:55:17
How to use Postgresql schemas in Doctrine 2? 3Reply
A
Alexander2021-07-27 11:30:13
How can I proxy a request from one controller to another? 1Reply
V
vetsinen2018-04-05 11:24:08
Is it possible to implement sorting by different fields in a table without code duplication? 1Reply
A
Alexander2021-07-29 16:03:00
How to use singleton? 1Reply
S
Strate2012-08-12 16:14:16
Entity inheritance via Superclass in Doctrine 2, why are fields copied to descendants? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question