I've this code:
I get some data from a GET request:
$username = $request->get('username');
And then, I use doctrine to check if this username exists or not:
$found = $em->getRepository('Bundle:Users')->findByNick($username);
if ($found){
//nickname in use
} else {
//not found
}
As you can see, I've no String escaping, so the value is directly sent to Doctrine. Is this a security issue? Should it be slashed for security reasons?
Note that I never use RAW queries, just prebuild ones from Doctrine.
There's no need to do it with prepared statements.
You can read here:http://docs.doctrine-project.org/projects/doctrine-dbal/en/latest/reference/security.html
And I've tried it out. This is the query generated by Doctrine:
WHERE t0.nick = 'dasdfaf\\' OR 1'
As you can see, several slashes were added.