how to prevent sql Injection symfony 1.4 and Doctrine 1.2?

Asked

Viewed 61 times

0

Hi,

I have a 3 research inputs that query the database and return me the obtained data. With this a malicious user can bypass my system and get other information.

Analyzing the behavior I use for the user to interact with my system, how could you prevent me from these attacks?

    $numeros = $request->getParameter('campoPesquisaNumero');
    $anos = $request->getParameter('campoPesquisaAno');
    $ementas = $request->getParameter('campoPesquisaEmenta');

    if($numero !== '' || $ano !== '' || $ementa !== '')
    {
          $pesquisar = Doctrine::getTable('tblicitacoes')
                          ->createQuery('l')
                          ->select('l.*')
                          ->where('l.numero LIKE \'%' . $numero . '%\' AND l.ano LIKE \'%' . $ano . '%\' AND l.ementa LIKE \'%'. $ementa .'%\' ')
                          ->andWhere('l.publicar = 1 OR l.publicar = "Y"')
                          ->orderBy('l.licitacoes_data DESC')
                          ->execute();
    }
  • Use Prepared Statements and Bind Parameters. In the Doctrine documentation there is more about http://doctrine-orm.readthedocs.org/projects/doctrine-dbal/en/latest/reference/data-retrieval-and-manipulation.html

1 answer

0


Set the conditions for the LIKEs as arguments in the method execute:

$pesquisar = Doctrine::getTable('tblicitacoes')
    ->createQuery('l')
    ->select('l.*')
    ->where('l.numero LIKE ? AND l.ano LIKE ? AND l.ementa LIKE ?')
    ->andWhere('l.publicar = 1 OR l.publicar = "Y"')
    ->orderBy('l.licitacoes_data DESC')
    ->execute(['%' . $numero . '%', '%' . $ano . '%', '%' . $ementa . '%']);

In this way, Doctrine knows how to deal with any attacks of the type SQL Injection.

  • 1

    this way the query was much better anyway. I have not yet done very hard test, but so far I could not circumvent the query.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.