0
Hi,
I have a 3 research inputs that query the database and return me the obtained data. With this a malicious user can bypass my system and get other information.
Analyzing the behavior I use for the user to interact with my system, how could you prevent me from these attacks?
$numeros = $request->getParameter('campoPesquisaNumero');
$anos = $request->getParameter('campoPesquisaAno');
$ementas = $request->getParameter('campoPesquisaEmenta');
if($numero !== '' || $ano !== '' || $ementa !== '')
{
$pesquisar = Doctrine::getTable('tblicitacoes')
->createQuery('l')
->select('l.*')
->where('l.numero LIKE \'%' . $numero . '%\' AND l.ano LIKE \'%' . $ano . '%\' AND l.ementa LIKE \'%'. $ementa .'%\' ')
->andWhere('l.publicar = 1 OR l.publicar = "Y"')
->orderBy('l.licitacoes_data DESC')
->execute();
}
Use Prepared Statements and Bind Parameters. In the Doctrine documentation there is more about http://doctrine-orm.readthedocs.org/projects/doctrine-dbal/en/latest/reference/data-retrieval-and-manipulation.html
– Renan Cavalieri