我有一个Symfony控制器,如下所示:
public function postAction($key, Request $request)
{
/** @var @todo check that the key is passed and that it exists */
// Get the entity manager
$em = $this->getDoctrine()->getManager();
/**
* This call uses magic abilities of Doctrine that can find a record using
* the name of the field in the table on which the search has to be performed.
*
* ->findOneBy[FieldName]
*
*/
$entity = $em->getRepository('AppBundle:Entity')->findOneByKey($key);
如您所见,我将$key直接传递给Doctrine以获取数据库中的相应行。
现在,因为这个$ key是通过查询字符串传递的,并且攻击者可以传递他想要的内容,我的问题是:应该让我对$key的正确性进行一些检查吗?应该让我实现一些机制,以确保$key不包含恶意代码,以这种方式防止SQL注入攻击的可能性?
答案 0 :(得分:1)