Does Doctri开发者_StackOverflowne automatically prevent SQL injection?
Is the following code secure?$user = new Model_User();
$user->name = $_POST['username'];
$user->save();
As far as SQL injection is concerned I think there will be no problem. But you might want to make sure as well that the username is well formed (could for instance be <script>//do somthing bad</script> and that script would for instance be executed when you output that user name somewhere on the site)
You'll be safe from SQL injection with Doctrine (and any other PDO-based database library) as long as you use bound parameters (Doctrine will be using these under the hood so your example is fine), but you shouldn't ever use input from a client without sanitizing it first. Take a look at PHP's Filter library - in particular the sanitization example. In your case, you'd want to at least validate that the name is a string using FILTER_SANITIZE_STRING "Strip tags, optionally strip or encode special characters.".
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论