Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

doctrine2 dql, use setParameter with % wildcard when doing a like comparison

Tags:

sql-like

wildcard

doctrine-orm

code-injection

dql

I want to use the parameter place holder - e.g. ?1 - with the % wild cards. that is, something like: "u.name LIKE %?1%" (though this throws an error). The docs have the following two examples: 1.

// Example - $qb->expr()->like('u.firstname', $qb->expr()->literal('Gui%'))
public function like($x, $y); // Returns Expr\Comparison instance

I do not like this as there is no protection against code injection.

2.

// $qb instanceof QueryBuilder

// example8: QueryBuilder port of: "SELECT u FROM User u WHERE u.id = ?1 OR u.nickname LIKE ?2 ORDER BY u.surname DESC" using QueryBuilder helper methods
$qb->select(array('u')) // string 'u' is converted to array internally
   ->from('User', 'u')
   ->where($qb->expr()->orx(
       $qb->expr()->eq('u.id', '?1'),
       $qb->expr()->like('u.nickname', '?2')
   ))
   ->orderBy('u.surname', 'ASC'));

I do not like this because I need to search for terms within the object's properties - that is, I need the wild cards on either side.

like image 845
waigani Avatar asked Sep 20 '10 21:09

waigani

2 Answers

When binding parameters to queries, DQL pretty much works exactly like PDO (which is what Doctrine2 uses under the hood).

So when using the LIKE statement, PDO treats both the keyword and the % wildcards as a single token. You cannot add the wildcards next to the placeholder. You must append them to the string when you bind the params.

$qb->expr()->like('u.nickname', '?2')
$qb->getQuery()->setParameter(2, '%' . $value . '%');

See this comment in the PHP manual. Hope that helps.

like image 92
Bryan M. Avatar answered Oct 17 '22 13:10

Bryan M.

The selected answer is wrong. It works, but it is not secure.

You should escape the term that you insert between the percentage signs:

->setParameter(2, '%'.addcslashes($value, '%_').'%')

The percentage sign '%' and the symbol underscore '_' are interpreted as wildcards by LIKE. If they're not escaped properly, an attacker might construct arbirtarily complex queries that can cause a denial of service attack. Also, it might be possible for the attacker to get search results he is not supposed to get. A more detailed description of attack scenarios can be found here: https://stackoverflow.com/a/7893670/623685

like image 12
robert Avatar answered Oct 17 '22 14:10

robert
Sign in to Comment

Related questions

Doctrine 2 - 2 decimal places on a float?
Doctrine schema update or Doctrine migrations
How to get an id without join in doctrine2?
FOS UserBundle Unable to login
Using native SQL query without entity class
Delete an item from oneToMany relationship
Doctrine2: How to set all tables to collate with UTF8
Symfony -> How to make created and modified fields dynamic with Doctrine?
Expect one or no result from a doctrine query builder, what should I use?
Object-Relational Mapping vs Database Abstraction Layer
How to use the in statement in DQL in Doctrine 2.0
How to configure naming strategy in Doctrine 2
What is the right way to define annotation for DECIMAL type in Doctrine2
Doctrine 2: Call to a member function format() on a non-object ... in DateTimeType.php
How to set up entity (doctrine) for database view in Symfony 2
How to set up Doctrine2 fixtures when testing with PHPUnit?
How to delete rows from join-table (ManyToMany) in Doctrine?
Expression mysql NOW() in Doctrine QueryBuilder
Should I use EAV model?
Subquery in doctrine2 notIN Function

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!