How do you escape ' on doctrine?

Question

How do you escape ' on doctrine?

I made this code

$query = $em->createQuery(
                "SELECT a FROM AcmeTopBundle:ArtData a WHERE
                a.name = '". mysql_escape_string($name) ."'");

but when the $name is A'z

it returns error

[Doctrine\ORM\Query\QueryException]          
SELECT a FROM AcmeTopBundle:ArtData a WHERE  
                a.name = 'A\'s'  

I think I escaped by mysql_escape_string in case of using raw sql.

How can I avoid this error on doctrine?

Answer 1

Well, even though there is accepted answer it is not for question as it is in title. @Sven's answer comes close, but fails to mention:

Doctrine documentation

To escape user input in those scenarios use the Connection#quote() method.

And I have a gripe with "scenarios", or more with people pushing prepared statements like some holy grail. Well they are nice in theory, in practice at least in PHP they are quite shity, as they are unable to do simple stuff like IN (<list>) or multi inserts with VALUES (<bla bla>), (<more stuff>) which is a huge ass deal, as without it one ends up resorting to quite sub-optimal SQL (to put it lightly) quite commonly (well if one religiously insist on prepared statements at least).

Answer 2

The way I usually handle this is using parameters and querybuilder (https://www.doctrine-project.org/projects/doctrine-orm/en/2.6/reference/query-builder.html)...

$qb = $em->createQueryBuilder(
            "SELECT a FROM AcmeTopBundle:ArtData a WHERE
            a.name = :name")
     ->setParameter('name',$name);
$result = $qb->getQuery()->execute();

Answer 3

This does not answer your question, but explains what's wrong with your code. It didn't fit into a comment.

You cannot and should not use mysql_escape_string()

• It is the wrong escape function, the right one used to be mysql_real_escape_string(). Reading the documentation does not sound like it, but to properly escape, you have to know which character encoding is being used. In western encoding schemes like ASCII, ISO-8859-x or even UTF-8 it probably does not make a difference, but there are some exotic chinese encodings around which absolutely need to know whether that " byte belongs to another byte, or comes on it's own.
• When using mysql_real_escape_string(), you need to have an already open DB connection created with mysql_connect(). If you don't, PHP tries to open a new connection with default user and password as defined in the php.ini file. This usually results in an error because without password the database won't let you do anything. And additionally, if you have success, then the encoding setting of this connection most likely is not the one used by Doctrine.
• Using any of the mysql_* functions is wrong, because these are deprecated. The correct way would be to use mysqli_* functions.
• Doctrine may use any of the three database connection methods: mysql, mysqli or PDO. You have to choose the one really being used if you want to manually call the correct escaping function. While the connection is already created. And somehow you need to grab that connection resource to allow the function you are calling to detect the used encoding.

So in the end there are plenty of reasons why it is wrong to just use any escaping that sound like it is doing the job.

The right way is to use the escaping of the database layer you are using. If you use Doctrine, the use it for escaping. Or better, avoid escaping, use prepared statements or the query builder and let Doctrine deal with the rest.