SQL Injection Vulnerability – Doctrine2 Type Specification

databasedoctrinePHPsql-injection

I thought Doctrine 2 DBAL prepared statements were safe from SQLi. But I found this confusing bit in the docs:

By default the Doctrine DBAL does no escaping. Escaping is a very
tricky business to do automatically, therefore there is none by
default. When you use the Doctrine DBAL as standalone, you have to
take care of this yourself.

What does that mean exactly? If someone tries to inject malicious code, will the query fail (as opposed to insert escaped) because the RDBMS protects me? Or I'm not protected at all?

I'm using PostgreSQL as my RDBMS.

Best Answer

I'd wondered as well. Googling a lot I found the answer posted by Benjamin Eberlei himself (Doctrine Project Lead and Contributor):

Hello,

of course DBAL uses PDO internally and escapes parameters such as in your example. I think the docs are messed up here. The Paragraph relates to the two subparagraphs about quote() and quoteIdentifier() and should mention quoting INSIDE sql strings (prepared statements are secure of course!). sorry for the confusion, i should update the docs to be more clear on this.

greetings, Benjamin

On Sat, 1 Jan 2011 15:12:28 -0800 (PST)

Best Answer

Related Solutions

SQL Injection Protection – Why Isn’t It a High Priority?

Php – How to get programmers to stop writing code vulnerable to SQL injection

Related Topic