SQL Injection is a type of security vulnerability in which malicious SQL statements are inserted into an entry field for execution. SQL Injection happens when using code like this:

1

$query = 'SELECT * FROM User WHERE username = "'.$username.'" AND password = "'.md5($password).'"';

In such a request, you can assign to $username value toto" OR 1 = 1. The generated SQL request will be:

1

SELECT * FROM User WHERE username="toto" OR 1 = 1 AND password = "f71dbe52628a3f83a77ab494817525c6"

Because of operators precedence, this request is equivalent to:

1

SELECT * FROM User WHERE username="toto"

The result is that the malicious user can login as any other application user without having to provide any password.

To avoid this problem, you can use parameter binding in SQL query. This feature is provided by PDO-PHP module and is used like this:

1
2
3
4
5
6

$calories = 150;
$color = 'red';
$stmt = $conn->prepare('SELECT name, color, calories FROM fruit WHERE calories < :calories AND color = :color');
$stmt->bindParam(':calories', $calories, PDO::PARAM_INT);
$stmt->bindParam(':color', $color, PDO::PARAM_STR, 12);
$stmt->execute();

Doctrine integrates fully this feature from PDO. You can use it like this:

1
2
3

$query = $em->createQuery("SELECT u FROM CmsUser u LEFT JOIN u.articles a WITH a.topic LIKE :foo");
$query->setParameter('foo', $foo);
$users = $query->getResult();

Doctrine provides many tools to abstract you from raw SQL queries. For this reason, you are automatically protected when you use "high-level" methods like:

1
2

$qb = $this->createQueryBuilder('p');
$qb->where($expr->like('p.u', 'test_%'));

rules:
# ...
  doctrine.database_query_contains_string_and_variable_concatenation:
    enabled: true