I thought Doctrine 2 DBAL prepared statements were safe from SQLi. But I found this confusing bit in the docs:
By default the Doctrine DBAL does no escaping. Escaping is a very
tricky business to do automatically, therefore there is none by
default. When you use the Doctrine DBAL as standalone, you have to
take care of this yourself.
What does that mean exactly? If someone tries to inject malicious code, will the query fail (as opposed to insert escaped) because the RDBMS protects me? Or I’m not protected at all?
I’m using PostgreSQL as my RDBMS.
4
I’d wondered as well.
Googling a lot I found the answer posted by Benjamin Eberlei himself (Doctrine Project Lead and Contributor):
Hello,
of course DBAL uses PDO internally and escapes parameters such as in
your example. I think the docs are messed up here. The Paragraph
relates to the two subparagraphs about quote() and quoteIdentifier()
and should mention quoting INSIDE sql strings (prepared statements are
secure of course!). sorry for the confusion, i should update the docs
to be more clear on this.greetings, Benjamin
On Sat, 1 Jan 2011 15:12:28 -0800 (PST)
1
I would like to clarify whether you’re just using the DBAL part of Doctrine, or all of it. From my understanding, DBAL is a “lower-level” part of Doctrine, that just focuses on communicating with the database.
If you are using Doctrine with Symfony (the most commonly used way I have seen it used), and have created the appropriate entity / repository / query builder classes, then you should not need to escape any values manually. This is because values entered using those classes would be automatically escaped using prepared statements (behind the scenes, by Doctrine).
1