Home/ Questions/Q 7684397
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-31T19:00:49+00:00

I kwnow that using an ORM like Doctrine2 for building queries is safe ,

  • 0

I kwnow that using an ORM like Doctrine2 for building queries is safe, meaning that parameters are escaped by default.

But i’m guessing that this is not so obvious when using literals and when this literal comes directly from the query string:

    $builder = $this->getRepository()->createQueryBuilder('e');
    $request = $this->getRequest();

    // Loop each allowed filter field and check if exists in $request
    foreach($this->getFilterFields() as $filter) :

        // Skip falsy values in $request
        if(!$value = $request->get($filter)) continue;

        // Add OR LIKE %$value% where $value is GET paramter
        $like = $builder->expr()->literal("%$value%");
        $builder->orWhere($builder->expr()->like("e.$filter", $like));

    endforeach;

Should safety be improved in some way?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    $queryBuilder->expr returns an ExpressionBuilder object. Inside ExpressionBuilder we find:

    public function literal($input, $type = null)
{
    return $this->connection->quote($input, $type);
}

    So literals do get quoted and should be fine to use.

    We also find:

    public function like($x, $y)
{
    return $this->comparison($x, 'LIKE', $y);
}
public function comparison($x, $operator, $y)
{
    return $x . ' ' . $operator . ' ' . $y;
}

    $y is fine because it goes through literal first. Do want to be a bit careful about $x. As long as your filterFields are internal then no problem. If they are coming from the user then you need to make sure they are valid.

    • 0