Is this safe (from an SQL injection perspective) to do:
$email = $_POST['email'];
$user = $dm->getRepository(self::$repository)->findOneBy(array('email' => $email));
Best
edit;-
So, the string '[email protected]'
comes into my method via a variable $email
.
CodePudding user response:
You are safe from SQL injection because the MongoDB drivers do not speak SQL.
But beyond this, unless you use db.runCommand
, there is no way to change a "find" statement (find
,find_one
, etc.) into an "update" or "delete" statement. No amount of variable substitution or trickery will change the basic behavior from read to anything else. In contrast, the classic cursor.execute("A SQL string")
can do almost anything including adding/removing users and tables, etc. etc. and must be very carefully sanitized.