Do data received via Request using Doctrine need to be processed?

Asked

Viewed 184 times

3

I’m developing a new project, it’s the first time I’m using Doctrine with Silex and I am in doubt as to the receipt of information through forms.

I receive the data from forms through the Request of Symfony (Symfony\Component\HttpFoundation\Request) and wanted to know if I need to use some method to filter these data like filter_input, htmlspecialchars, strip_tags, etc.?

In my case I get this data like this:

$dados = $request->request->all(); 

and caught them in:

$dados['nome'] 

for example. I need to treat or not?

2 answers

2


By code (source) of Request and consequently Parameterbag, can be used as follows which already get what is expected:

$id = $request->request->getInt('id'); 
$nm = $request->request->getAlpha('name');
$st = $request->request->getBoolean('status');

or specify its own filter:

$mail = $request->request->filter('id', 0, FILTER_SANITIZE_EMAIL);

in the case mentioned all(), the data are not processed, but as reported there is the option where it can be done with filter or the implemented getInt, getAlpha, getBoolean, getDigits and getAlnum internally using this type of code, example getBoolean:

public function getBoolean($key, $default = false)
{
    return $this->filter($key, $default, FILTER_VALIDATE_BOOLEAN);
}

The Doctrine - Security has a security part, but, this can be supplemented with the code exemplified just above, or even a Validation class, can bar most problems encountered in web development with data obtained upon request .

References:

  • Thanks Virgilio for the help.. right.. I didn’t really know what I could do, but then I ask you, is it necessary to do this using Doctrine? I hear Doctrine is in charge of filtering the fields that will be saved. Can I be talking nonsense, I do not have much knowledge on the subject.. Can you assist me? Grateful

  • @Alexandrozaleski, I cannot confirm that the Doctrine do it internally, I would have to do the same thing I just did by checking the code of the Doctrine, But I would do the answer this way, because I would already send Doctrine the most complete data and almost without problems. I use Laravel and I do it myself with Eloquent, I don’t send data without checking,).

  • 1

    Okay.. Thank you very much @Virgilionovic for your help, I think you can never have too much security.. I’m going to use it this way to not depend on Doctrine for validations that need to be done before they’re sent to the right bank? Thank you very much again..

  • OK @Alexandrozaleski, validating is always good. If you have a Validation between them will already cure most of the problems

  • 1

    @Virgilionovic excellent tips on Symfony!

  • Vlw @Guilhermenascimento ... !

Show 1 more comment

1

Completing @Virgilio Novic’s reply, what says to documentation of the Doctrine:

In general you should assume that Apis in Doctrine are not safe for user input. There are However some exceptions.

Free translation:

In general, you should assume that the Apis in Doctrine are not safe for user inputs. There are, however, some exceptions.

Exceptions can be seen in the following links:

Notice what the section says 12.2.1. Wrong: String Concatenation (concreteness of strings), you should never build your queries dynamically and concatenate user inputs into your SQL or DQL query. For Doctrine there is absolutely no way to find out which parts of SQL are user inputs and which are not.

For example:

<?php
$sql = "SELECT * FROM users WHERE name = '" . $_GET['username']. "'";

Although DQL is a wrapper around SQL that can protect against some security implications, the previous example is also a threat to DQL queries, which in the end will result in a query:

$dql = "SELECT u FROM User u WHERE u.username = '" . $_GET['username'] . "'";

In this scenario, an attacker can still pass a user name defined as 'OR 1 = 1 and create a valid DQL query.

So, how to make queries safer?

  • Prepared Statements: you should always use it to perform your queries. It is a two-step procedure, separating the SQL query from the parameters. They are supported for SQL DBAL queries and DQL ORM queries.

Example DQL:

$dql = "SELECT u FROM User u WHERE u.username = :name";
$query = $em->createQuery($dql);
$query->setParameter("name", $_GET['username']);
$data = $query->getResult();

Example SQL:

$sql = "SELECT * FROM users WHERE username = ?";
$stmt = $connection->executeQuery($sql, array($_GET['username']));

See more information on how to use it here.

  • Quoting/Escaping: Although previously said that string concatenation is wrong, there is a way to do it correctly using the method of Connection#quote. This method is only available for SQL, not DQL. For DQL it is always encouraged to use Prepared Statements not only for security, but also for cache reasons.

Example:

$sql = "SELECT * FROM users WHERE name = " . $connection->quote($_GET['username'], \PDO::PARAM_STR);

Data received via Request using Doctrine need to be treated?

Depends on the API being used as referred to in documentation, but in general if the query is being built based on user input, yes, it is necessary to handle all entries.

  • I’m using DQL in the querys and I do as you posted there using the setParameter but even then I need to process the received data via input. Thanks for the help.

  • @Alexandrozaleski the Prepared Statements is sufficient, it does not need more than that, moreover the examples in the documentation itself do not use anything else. The methods getInt, getBoolean at the bottom serve more to ensure that the system receives the expected types. Imagine that you are waiting for a string, the user can send ' OR 1=1 which you will pass in your validation, if it is a string.

  • @Felipemorais I was looking, I was checking my code, in case of insert and change, I’m just taking the data of the entity, giving a persist and a flush, I’m not going through the DQL, in this case I need to use the filters right? I’m confused now..

  • @Alexandrozaleski does not need, see here: http://docs.doctrine-project.org/en/latest/reference/security.html#user-input-and-Doctrine-Orm method Doctrine\ORM\EntityManager#persist() is safe against SQL Injection.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.