Symfony、Doctrine 和传递的参数:我应该注意什么?
Symfony, Doctrine and passed parameters: of what should have I to take care?
我有一个如下所示的 Symfony 控制器:
public function postAction($key, Request $request)
{
/** @var @todo check that the key is passed and that it exists */
// Get the entity manager
$em = $this->getDoctrine()->getManager();
/**
* This call uses magic abilities of Doctrine that can find a record using
* the name of the field in the table on which the search has to be performed.
*
* ->findOneBy[FieldName]
*
*/
$entity = $em->getRepository('AppBundle:Entity')->findOneByKey($key);
如你所见,我直接将$key传递给Doctrine,以获取数据库中的相应行。
现在,由于这个 $key 通过查询字符串传递并且攻击者可以传递他想要的东西,我的问题是:我应该对 $key?我是否应该实施一些机制来确保 $key 不包含恶意代码以防止 SQL 注入攻击的可能性?
不,你不必担心,学说会为你做到这一点。
见http://doctrine-dbal.readthedocs.org/en/latest/reference/security.html for more informations and http://doctrine-orm.readthedocs.org/en/latest/reference/security.html
我有一个如下所示的 Symfony 控制器:
public function postAction($key, Request $request)
{
/** @var @todo check that the key is passed and that it exists */
// Get the entity manager
$em = $this->getDoctrine()->getManager();
/**
* This call uses magic abilities of Doctrine that can find a record using
* the name of the field in the table on which the search has to be performed.
*
* ->findOneBy[FieldName]
*
*/
$entity = $em->getRepository('AppBundle:Entity')->findOneByKey($key);
如你所见,我直接将$key传递给Doctrine,以获取数据库中的相应行。
现在,由于这个 $key 通过查询字符串传递并且攻击者可以传递他想要的东西,我的问题是:我应该对 $key?我是否应该实施一些机制来确保 $key 不包含恶意代码以防止 SQL 注入攻击的可能性?
不,你不必担心,学说会为你做到这一点。
见http://doctrine-dbal.readthedocs.org/en/latest/reference/security.html for more informations and http://doctrine-orm.readthedocs.org/en/latest/reference/security.html