I have a Symfony controller like the following:
public function postAction($key, Request $request)
{
/** @var @todo check that the key is passed and that it exists */
// Get the entity manager
$em = $this->getDoctrine()->getManager();
/**
* This call uses magic abilities of Doctrine that can find a record using
* the name of the field in the table on which the search has to be performed.
*
* ->findOneBy[FieldName]
*
*/
$entity = $em->getRepository('AppBundle:Entity')->findOneByKey($key);
As you can see, I pass the $key directly to Doctrine to get the corresponding row in the database.
Now, as this $key is passed through the query string and as an attacker could pass what he wants, my question is: should have I to implement some checks about the correctness of the $key? Should have I to implement some mechanisms to be sure the $key doesn't contain malicious code preventing, in this way, the possibility of a SQL Injection attack?
No you don't have to worry about it, doctrine does that for you.
see http://doctrine-dbal.readthedocs.org/en/latest/reference/security.html for more informations and http://doctrine-orm.readthedocs.org/en/latest/reference/security.html