Make users aware of security page by adding a SECURITY.md in root.

9230abad · Benjamin Eberlei · ca6a8dd2 · 9230abad · 9230abad
Commit 9230abad authored Feb 21, 2014 by Benjamin Eberlei
Show whitespace changes
Inline Side-by-side

Showing with 17 additions and 3 deletions

SECURITY.md SECURITY.md +14 -0

security.rst docs/en/reference/security.rst +3 -3

No files found.
--- a/SECURITY.md
+++ b/SECURITY.md
+Security
+========
+The Doctrine library is operating very close to your database and as such needs
+to handle and make assumptions about SQL injection vulnerabilities.
+It is vital that you understand how Doctrine approaches security, because
+we cannot protect you from SQL injection.
+Please read the documentation chapter on Security in Doctrine DBAL to
+understand the assumptions we make.
+- [Latest security.rst page on Github](https://github.com/doctrine/dbal/blob/master/docs/en/reference/security.rst)
+- [Security Page in rendered documentation](http://docs.doctrine-project.org/projects/doctrine-dbal/en/latest/reference/security.html)
--- a/docs/en/reference/security.rst
+++ b/docs/en/reference/security.rst
@@ -28,9 +28,9 @@ There are however some exceptions.
 The following APIs are designed to be **SAFE** from SQL injections:
- ``Doctrine\DBAL\Connection#insert($table, $values, $types)``
+- ``$values`` in ``Doctrine\DBAL\Connection#insert($table, $values, $types)``
- ``Doctrine\DBAL\Connection#update($table, $values, $where, $types)``
+- ``$values`` in ``Doctrine\DBAL\Connection#update($table, $values, $where, $types)``
- ``Doctrine\DBAL\Connection#delete($table, $where, $types)``
+- ``$values`` in ``Doctrine\DBAL\Connection#delete($table, $where, $types)``
 - ``Doctrine\DBAL\Query\QueryBuilder#setFirstResult($offset)``
 - ``Doctrine\DBAL\Query\QueryBuilder#setMaxResults($limit)``
 - ``Doctrine\DBAL\Platforms\AbstractPlatform#modifyLimitQuery($sql, $limit, $offset)`` for the ``$limit`` and ``$offset`` parameters.