how to prevent sql injection symfony 1.4 and doctrine 1.2?

0

Hi,

I have a 3 inputs of searches that make queries to the database and I get the data obtained. So a malicious user can circumvent my system and get other information.

By analyzing the behavior I use for the user to interact with my system, how could I prevent them from attacking?

    $numeros = $request->getParameter('campoPesquisaNumero');
    $anos = $request->getParameter('campoPesquisaAno');
    $ementas = $request->getParameter('campoPesquisaEmenta');

    if($numero !== '' || $ano !== '' || $ementa !== '')
    {
          $pesquisar = Doctrine::getTable('tblicitacoes')
                          ->createQuery('l')
                          ->select('l.*')
                          ->where('l.numero LIKE \'%' . $numero . '%\' AND l.ano LIKE \'%' . $ano . '%\' AND l.ementa LIKE \'%'. $ementa .'%\' ')
                          ->andWhere('l.publicar = 1 OR l.publicar = "Y"')
                          ->orderBy('l.licitacoes_data DESC')
                          ->execute();
    }
    
asked by anonymous 19.11.2015 / 18:14

1 answer

0

Set the conditions for the% s of% s as arguments in the LIKE method:

$pesquisar = Doctrine::getTable('tblicitacoes')
    ->createQuery('l')
    ->select('l.*')
    ->where('l.numero LIKE ? AND l.ano LIKE ? AND l.ementa LIKE ?')
    ->andWhere('l.publicar = 1 OR l.publicar = "Y"')
    ->orderBy('l.licitacoes_data DESC')
    ->execute(['%' . $numero . '%', '%' . $ano . '%', '%' . $ementa . '%']);

In this way, Doctrine can handle any SQL injection attacks.

    
19.11.2015 / 18:52