Affects Version/s: 2.2
Fix Version/s: None
Security Level: All
I'm using DBAL Connection's "insert" and "update" methods to manipulate my database.
Both those methods doesn't escape reserved SQL keywords appropriately. See: http://www.doctrine-project.org/api/dbal/2.2/source-class-Doctrine.DBAL.Connection.html#493
For example the following method call will raise an Exception (SQL error):
'from' => 'foo',
'to' => 'bar'
Because the "from"-key is a reserved SQL keyword.
Database abstraction layer such as DBAL MUST consider such situations and act appropriately (i.e. escape field names with regulations specified by syntax of used RDBMS).
In MySQL i have to do this manually before calling "insert" or "update":
$key = '`' . $key . '`';
And this is really bad practice, cause it's platform-depended solution (works only for MySQL).
I hope you will find my words reasonable. it's important for developer to be able to use any key names he seems necessary (even if it's reserved by SQL itself). Sometimes developer doesn't even have a choice (e.g. when he receives database from third-party and can't change it's structure).