Level 75
Proper data binding prevents injection. Stripping tags prevents XSS http://php.net/manual/en/function.strip-tags.php Using the CSRF token prevents CSRF.
1 like
May 11, 2018
7
Level 4
Do we need to validate user input using regex to prevent SQL injection?
I was reading this article:
https://www.cloudways.com/blog/prevent-xss-exploits-using-laravel-validation-and-sanitization/
This guy tells to prevent user from inputting malicious code in posts or comment etc it's advisable to use regex in the validation like this:
'names' => 'required|max:255|regex:[A-Za-z1-9 ]',
In my code I have a comment controller that I was validating like this:
$rules = array(
'post_id' => 'required',
'body' => 'required'
);
I tried to input this code in the post <script>alert("boom")</script> and the result is that the post succeed but empty so I guess laravel is deleting that input.
Am I right or am I missing something?
Anyway I changed the rules to:
$rules = array(
'post_id' => 'required|integer',
'body' => 'required|regex:[A-Za-z1-9 ]'
);
And post doesn't work anymore. I get "undefined", removing regex from validation makes it work again.
Level 4
@jlrdw ok but doesn't laravel itself perform the stripping?
I tried to input something like "some text <script>alert("boom")</script> some text" and the resulting post is "some text some text" That without the regex in validation rules that I now changed to body' => 'required|string'
Level 20
Where did you see the output?
Level 4
@Vilfago in the page. No alert shows up.
Level 75
doesn't laravel itself perform the stripping?
I think blade does something, I don't use blade. I strip tags no matter. I have a small function in a helper class:
public static function fixValue($rvalue) {
$rvalue = empty($rvalue) && !is_numeric($rvalue) ? NULL : trim(strip_tags($rvalue));
return $rvalue;
}
But if some HTML is allowed, like here on forum, there are packages like: http://htmlpurifier.org/
EDIT: Don't get XSS confused with sql inhection, two different things.
See https://laracasts.com/discuss/channels/general-discussion/sql-injection-2
eloquent and querybuilder properly handles binding, but watch out for raw expressions, alos see:
https://laracasts.com/discuss/channels/eloquent/writing-all-queries-directly-vs-model-relations https://laracasts.com/discuss/channels/laravel/sql-native-to-query-builder
Level 20
If you put in blade {{ $variable }} it's sanitize the input, you can try with {!! $variable !!}.
But I expected you will see the text but not the alert with the first option.
Level 75
The thing about htmlspecialchars it only converts to HTML entities. In my case I do not want safe conversion, I want them stripped. But choice is yours, the average user isn't going to try to sneak an XSS through. But some will. You shouldn't need tags or special charaters unless you are hosting (like this) a code forum.
See https://www.w3schools.com/php/func_string_htmlspecialchars.asp
And as far as the ease of sections and partials, you can do that with just regular commands from the API, example:
<?= View::make('partials/dpag')->render(); ?>
You can also pre make a view and use it in a template just example:
$view = 'dog/index';
$layout = ViewLayout::getLayout('dog/indextp'); // my custom function
$content = View::make($view)
->with('dogs', $dogs)
->with('pagelinks', $pagelinks);
return view($layout)->with('content', $content)->with('title', $title);
And in the template:
<?php echo $content; ?> // the actual view.
// or
<?= $content; ?> // short form
But if one would study the API docs, this is where you learn this stuff.
I used template not layout because layout is already used for blade.
Blade would be okay if it had settings where you could choose how it worked, i.e. strip_tags instead of htmlspecialchars.
Also blade converts to the PHP equivalent at runtime.
Please or to participate in this conversation.