Firstly, symfony does that for you ;). Secondly it was just a quick example to get him on the right road. I didn't have time to sit and show a fully worked, real world example.
Jsut to reiterate, symfony already checks what parameters are passed through GET and POST for you for SQL injection and cleans them. Try it yourself if you don't believe me. Its one of the great benefits of using a framework. On Fri, Mar 5, 2010 at 8:12 PM, Augusto Flavio <afla...@gmail.com> wrote: > Hi Gareth, > > > the method that you show us have a security problem: inject sql. You need to > check what kind of parameter the user is sending. > > > > if (!in_array($parameter, array('asc', 'desc'))) { > //do something > } else { > //execute the query > } > > > bye > > > > Augusto Morais > > -- > If you want to report a vulnerability issue on symfony, please send it to > security at symfony-project.com > > You received this message because you are subscribed to the Google > Groups "symfony users" group. > To post to this group, send email to symfony-users@googlegroups.com > To unsubscribe from this group, send email to > symfony-users+unsubscr...@googlegroups.com > For more options, visit this group at > http://groups.google.com/group/symfony-users?hl=en > -- Gareth McCumskey http://garethmccumskey.blogspot.com twitter: @garethmcc -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony users" group. To post to this group, send email to symfony-users@googlegroups.com To unsubscribe from this group, send email to symfony-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/symfony-users?hl=en