这个 Doctrine 查询 SQL 是防注入的吗?

Is this Doctrine query SQL injection-proof?

我看到了这个 (Symfony) Doctrine 查询。这是 SQL 防注入吗?

$input = $_GET['input'];

$query = $connection->createQueryBuilder();
$query->select('id')->from('table')->where('name = ' . $input); // does Doctrine escape this input?
$statement = $query->execute();
var_dump($statement->fetchAll());
         

不是。您必须使用带参数的准备好的查询。沿着这些线的东西:

$input = $_GET['input'];

$query = $connection->createQueryBuilder();
$query->select('id')->from('table')->where('name = :input'); 
$query->setParameter('input', $input)
...