ابدأ بالتواصل مع الأشخاص وتبادل معارفك المهنية

أنشئ حسابًا أو سجّل الدخول للانضمام إلى مجتمعك المهني.

متابعة

How does building an sql query in java using query builder help prevent sql injection?

user-image
تم إضافة السؤال من قبل Zeeshan Mohammad , Software Engineer in Research , Center for Collective Intelligence - Massachusetts Institute of Technology
تاريخ النشر: 2013/10/02
Bilal Hassan
من قبل Bilal Hassan , Principal Software Engineer | Full Stack Developer , TEO International & IE, Islamabad

Because Query Builder defines parameterised queries so that it verify the input string by the user. And do not let the user to enter malicious data in input parameter.

 

Note: Parametering of input variables in query is the v basic level of stoping SQL injections. to proper blocking Please use Store Procedures.

MOHAMED MAHMOUD EISSA
من قبل MOHAMED MAHMOUD EISSA , Software department MGR. and Senior developer , Global Media Services GMS

SQL allows expressions in almost every clause and position the Doctrine 

QueryBuilder can only prevent SQL injections for calls to the methods setFirstResult() and setMaxResults().

 

All other methods cannot distinguish between user- and developer input and are therefore subject to the possibility of SQL injection.

 

To safely work with the QueryBuilder you should NEVER pass user input to any of the methods of the QueryBuilder and use the placeholder ? or :name syntax in combination with $queryBuilder->setParameter($placeholder, $value) instead:

المزيد من الأسئلة المماثلة