I thought Doctrine 2 DBAL prepared statements were safe from SQLi. But I found this confusing bit in the docs:
By default the Doctrine DBAL does no escaping. Escaping is a very
tricky business to do automatically, therefore there is none by
default. When you use the Doctrine DBAL as standalone, you have to
take care of this yourself.
What does that mean exactly? If someone tries to inject malicious code, will the query fail (as opposed to insert escaped) because the RDBMS protects me? Or I'm not protected at all?
I'm using PostgreSQL as my RDBMS.
Best Answer
I'd wondered as well. Googling a lot I found the answer posted by Benjamin Eberlei himself (Doctrine Project Lead and Contributor):