doctrine 2 orm and sql injection

Question

In doctrine 2, how can I protect against sql injections when using ORM? I found the following page on the doctrine site: http://docs.doctrine-project.org/projects/doctrine-dbal/en/latest/reference/security.html

However that is about dbal and not about ORM.

Is it safe to use things like below assuming that $id is a posted value?

$entityManager->getRepository('Product')->find($id);

Or is it better to create the query instead using named parameters like this:

// DQL Prepared Statements
$dql = "SELECT p FROM Product p WHERE p.id = ?1";
$query = $em->createQuery($dql);
$query->setParameter(1, $_GET['pid']);
$data = $query->getResult();

Please note that I don't seek just a yes or no answer, but whether there is some authoritative documentation that ensures that this is ok.

Answer 1

I found my answer on this page: http://docs.doctrine-project.org/en/latest/reference/security.html#user-input-and-doctrine-orm.