Please note that mysql_real_escape_string() [and I assume
PDO::quote() though I don't use it] take care only of escaping the
query string thus does not prevent SQL injections completely. You
should always check any user input.
BAD example:
$userID = $_GET['user'];
$sql = 'SELECT * FROM users WHERE id='.$userID;
Now consider what happens if the parameter given is:
0 OR email=this.guy.h...@hotmail.com
In this example it's easy to use:
$userID = intval($_GET['user']);
if (!$userID || $userID > UPPER_LIMIT || $userID < LOWER_LIMIT) {
....
}
On May 14, 7:21 pm, mlugert <mlug
...@yahoo.com> wrote:
> Found the answer for those who care. Doctrine uses PDO which
> internally uses PDO::quote(); In short Doctrine takes care of this
> and there is no need for mysql_real_escape_string.
> On May 14, 11:02 am, mlugert <mlug...@yahoo.com> wrote:
> > Of course I mean when using DQL specifically.
> > On May 14, 10:41 am, mlugert <mlug...@yahoo.com> wrote:
> > > Sorry if this has been answered, but when using Doctrine what should
> > > we do to protect against sql injection? mysql_real_escape_string
> > > doesn't always make sense if you are using other DBs.- Hide quoted text -
> > - Show quoted text -
