I am using Laravel 4 with Eloquent. When I get the user input I just use $name=Input::get('name')
and then I do $a->name=$name;
I don't know if the function Input::get
protect me from SQL Injection and XSS. If it does not, what do I have to do to sanitize the input?
And, when I show the value in my view, shall I use {{$a}}
or {{{$a}}}
Greetings and thanks.
Laravel uses PDO's parameter binding, so SQL injection is not something you should worry about. You should read this though.
Input::get() does not filter anything.
Triple curly braces do the same as e() and HTML::entities(). All of them call htmlentities with UTF-8 support:
htmlentities($your_string, ENT_QUOTES, 'UTF-8', false);
You should use {{{$a}}}
because for example Input can has HTML tag. Laravel won't filter it.
To avoid SQL injection you should use bind your parameters running queries like:
$var = 1;
$results = DB::select('select * from users where id = ?', array($var));
and not:
$results = DB::select('select * from users where id = '.$var);
Yes Always you need to save clean data in database, for that I was used HTML Purifier :
HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C's specifications. Tired of using BBCode due to the current landscape of deficient or insecure HTML filters? Have a WYSIWYG editor but never been able to use it? Looking for high-quality, standards-compliant, open-source components for that application you're building? HTML Purifier is for you!
For Laravel projects you can use this service provider https://github.com/mewebstudio/purifier for including the HTMLPurifier in your project.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.