这个 Doctrine 查询 SQL 是防注入的吗?
Is this Doctrine query SQL injection-proof?
我看到了这个 (Symfony) Doctrine 查询。这是 SQL 防注入吗?
$input = $_GET['input'];
$query = $connection->createQueryBuilder();
$query->select('id')->from('table')->where('name = ' . $input); // does Doctrine escape this input?
$statement = $query->execute();
var_dump($statement->fetchAll());
不是。您必须使用带参数的准备好的查询。沿着这些线的东西:
$input = $_GET['input'];
$query = $connection->createQueryBuilder();
$query->select('id')->from('table')->where('name = :input');
$query->setParameter('input', $input)
...
我看到了这个 (Symfony) Doctrine 查询。这是 SQL 防注入吗?
$input = $_GET['input'];
$query = $connection->createQueryBuilder();
$query->select('id')->from('table')->where('name = ' . $input); // does Doctrine escape this input?
$statement = $query->execute();
var_dump($statement->fetchAll());
不是。您必须使用带参数的准备好的查询。沿着这些线的东西:
$input = $_GET['input'];
$query = $connection->createQueryBuilder();
$query->select('id')->from('table')->where('name = :input');
$query->setParameter('input', $input)
...