stackoom
  简体   繁体   中英

Do I need to sanitize the user input Laravel

 原文  2014-10-05 12:44:58       php/ laravel/ eloquent/ xss/ sql-injection

Question

I am using Laravel 4 with Eloquent. When I get the user input I just use $name=Input::get('name') and then I do $a->name=$name;

I don't know if the function Input::get protect me from SQL Injection and XSS. If it does not, what do I have to do to sanitize the input?

And, when I show the value in my view, shall I use {{$a}} or {{{$a}}}

Greetings and thanks.

4 answers

solution1
 17 ACCPTED  2014-10-05 12:52:20

Laravel uses PDO's parameter binding, so SQL injection is not something you should worry about. You should read this though.

Input::get() does not filter anything.

Triple curly braces do the same as e() and HTML::entities(). All of them call htmlentities with UTF-8 support:

htmlentities($your_string, ENT_QUOTES, 'UTF-8', false);

solution2
 5  2014-10-05 12:47:24

You should use {{{$a}}} because for example Input can has HTML tag. Laravel won't filter it.

To avoid SQL injection you should use bind your parameters running queries like:

$var = 1;
$results = DB::select('select * from users where id = ?', array($var));

and not:

$results = DB::select('select * from users where id = '.$var);

solution3
 -1  2020-09-04 20:47:09

Yes Always you need to save clean data in database, for that I was used HTML Purifier :

HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C's specifications. Tired of using BBCode due to the current landscape of deficient or insecure HTML filters? Have a WYSIWYG editor but never been able to use it? Looking for high-quality, standards-compliant, open-source components for that application you're building? HTML Purifier is for you!

For Laravel projects you can use this service provider https://github.com/mewebstudio/purifier for including the HTMLPurifier in your project.

solution4
 -2  2019-12-11 06:20:25

You can use

https://github.com/Waavi/Sanitizer

It is vary solid easy to use library.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Sanitize user input in laravel Do I need to sanitize user input for GD text functions (imagettftext, imagestring etc.) Do I need to sanitize the input? PDO and mysql escape Do I need to sanitize input to file_exists? Do i need to sanitize input if using prepared PHP/MySQL queries? Do I need to sanitize user inputs when using Ajax? Do I need to sanitize user data for error_log() in PHP? Do I have to sanitize user input with prepared SQL statements? Do I need to clean user input for DB::query calls in laravel? Do I need to sanitize a form if only printing?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM