Doctrine and SQL Injection

Does Doctri开发者_StackOverflowne automatically prevent SQL injection?

Is the following code secure?

$user = new Model_User();
$user->name = $_POST['username'];
$user->save();

As far as SQL injection is concerned I think there will be no problem. But you might want to make sure as well that the username is well formed (could for instance be <script>//do somthing bad</script> and that script would for instance be executed when you output that user name somewhere on the site)

You'll be safe from SQL injection with Doctrine (and any other PDO-based database library) as long as you use bound parameters (Doctrine will be using these under the hood so your example is fine), but you shouldn't ever use input from a client without sanitizing it first. Take a look at PHP's Filter library - in particular the sanitization example. In your case, you'd want to at least validate that the name is a string using FILTER_SANITIZE_STRING "Strip tags, optionally strip or encode special characters.".