为Doctirne Expr静态方法提供变量是否安全(例如Expr ()->eq('p.var'， $v - Is it safe to provide variable to Doctirne Expr static methods (e.g. expr()->eq('p.var', $var))?

Is it safe to provide variable to Doctirne Expr static methods (e.g. expr()->eq('p.var', $var))?

为Doctirne Expr静态方法提供变量是否安全?

如果必须将它们设置为参数，是否有更简单的方法来实现，例如在$或->add()方法中?

可以是这样吗:

$or = $qb->expr()->orx();
if (!empty($sessionId)) {
    $or->add($qb->expr()->eq('up.session_id', $sessionId));
}
if ($user instanceof User) {
    $or->add($qb->expr()->eq('up.user_id', $user->getId()));
}

到目前为止，我的解决方案是:

$qb = $this->getEntityManager()->createQueryBuilder();
$or = $qb->expr()->orx();
if (!empty($sessionId)) {
    $or->add($qb->expr()->eq('up.session_id', ':session_id'));
}
if ($user instanceof User) {
    $or->add($qb->expr()->eq('up.user_id', ':user_id'));
}
$qb->select('up')
    ->from('SCCatalogBundle:UserProject', 'up')
    ->where($or)
    ->OrderBy('up.updated', 'DESC');
if (!empty($sessionId)) {
    $qb->setParameter('session_id', $sessionId);
}
if ($user instanceof User) {
    $qb->setParameter('user_id', $user->getId());
}
$query = $qb->getQuery();

据我所知，您应该使用setParameter来避免sql注入。我认为没有必要按照这个顺序设置参数。因此，您可以这样编写代码:

$qb = $this->getEntityManager()->createQueryBuilder();
$or = $qb->expr()->orx();
if (!empty($sessionId)) {
    $or->add($qb->expr()->eq('up.session_id', ':session_id'));
    $qb->setParameter('session_id', $sessionId);
}
if ($user instanceof User) {
    $or->add($qb->expr()->eq('up.user_id', ':user_id'));
    $qb->setParameter('user_id', $user->getId());
}
$qb->select('up')
    ->from('SCCatalogBundle:UserProject', 'up')
    ->where($or)
    ->OrderBy('up.updated', 'DESC');

$query = $qb->getQuery();