Laravel中大规模分配的风险
[英]Risks of Mass Assignment in Laravel
问题描述
I started using Laravel with 4.0 where mass assignment was available by default... ie 
我从4.0开始使用Laravel,默认情况下可以进行质量分配,即
$foo = Foo::create('foo' => 'bar', 'bar' => 'foo');
But I think in L4.1 fields available for mass assignment started having to be defined in the model. 但是我认为在L4.1中可用于大规模分配的字段开始必须在模型中定义。 Now I'm going through a tutorial for L5 since I had learned L4 mostly through trial and error and I'm seeing mass assignment used on a lot of models that I would thing to be rather high risk, such as Users. 现在,我正在学习有关L5的教程,因为我主要是通过反复试验来学习L4的,而且我看到大量分配已在许多我认为相当高风险的模型中使用,例如用户。
I kind of expect to get flagged for asking for an opinion, but I'm unclear on what risks I'm worried about with mass assignment (SQL injection I'm assuming). 我有点希望被征询意见,但是我不清楚大规模分配(我假设要使用SQL注入)会为我带来什么风险。 Or does the fact that I'm defining what is mass assignable in the model take away the risk that was in the L4.0 system? 还是我在模型中定义可分配的数量这一事实消除了L4.0系统中的风险?
1 个解决方案
解决方案1
2 已采纳 2015-02-08 14:43:30
The "risk" is that developers often pass Input::all() into the model. “风险”是开发人员经常将Input::all()传递给模型。 Without the protection that the new system with $fillable and $guarded provides, unexpected user input can produce an error (to be exact an SQL error like: column foo not in field list ) and it possibly allows the user to insert attributes you didn't want him to set by manipulating the request. 没有新的$fillable和$guarded提供的$guarded ,意外的用户输入可能会产生错误(准确的说是SQL错误,例如: column foo not in field list ),并且可能允许用户插入您没有输入的属性。希望他通过处理请求来解决。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.