Menu
I am using Laravel 4 with Eloquent.
When I get the user input I just use $name=Input::get('name') and then I do $a->name=$name;
I don't know if the function Input::get protect me from SQL Injection and XSS. If it does not, what do I have to do to sanitize the input?
And, when I show the value in my view, shall I use {{$a}} or {{{$a}}}
Greetings and thanks.
501
By default in Laravel there are two middlewares, which sanitize input data App\Http\Middleware\TrimStrings and Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull . Their names speak for themselves. These middlewares sanitize all input data of every request.
The Basics. The first lesson anyone learns when setting up a web-to-database—or anything-to-database gateway where untrusted user input is concerned—is to always, always sanitize every input.
An application receives queries and requests from untrusted sources that might expose the system to malicious attacks. Input sanitization ensures that the entered data conforms to subsystem and security requirements, eliminating unnecessary characters that can pose potential harm.
Therefore, to safeguard the database from hackers, it is necessary to sanitize and filter the user entered data before sending it to the database.
Laravel uses PDO's parameter binding, so SQL injection is not something you should worry about. You should read this though.
Input::get() does not filter anything.
Triple curly braces do the same as e() and HTML::entities(). All of them call htmlentities with UTF-8 support:
htmlentities($your_string, ENT_QUOTES, 'UTF-8', false);
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
