In the past, I used quoteStr() to sanitize input data before inserting it into the database with exec_INSERTquery() e.g. like this:
'info' => $GLOBALS['TYPO3_DB']->quoteStr($info, 'tx_mytablename')
What is the proper way to sanitize input data (strings) for usage with Doctrine in TYPO3 8 and above?
Depending on your use-case, the following functions provided by Doctrine can (should!) be used to sanitize data in SQL queries:
createNamedParameter()quoteIdentifier()quoteIdentifiers()Further details are available in the TYPO3 documentation (section "QueryBuilder").
The following code example demonstrates how to apply createNamedParameter() for the integer value named $customerNumber.
$query = $queryBuilder
->select('username', 'customerNumber')
->from('fe_users')
->where($queryBuilder->expr()->eq(
'customerNumber',
$queryBuilder->createNamedParameter($customerNumber, \PDO::PARAM_INT)
))
->execute();