11 months ago

Forcing A Unique Rule To Ignore Multiple IDs

Posted 11 months ago by theFundi

I want to ignore 2 user ID's when updating a user resource, the admin making the update and the user being updated.

My app allows admins to update user accounts and both the UserAccountController and ManageCustomerController share the same form request validation which has a unique constraint on the email column.

I have written the below logic, but according to the documentation because I am using the URI parameter as the users ID this can open my application up to SQL injection:You should never pass any user controlled request input into the ignore method

I cant seem to find any issues with my logic, can anyone else share some insight ?

public function rules()
    if ( $this->user()->isAdmin() && $this->route('customer') !== null ) {
        $user_id = $this->route('customer');
    else $user_id = auth()->user()->id;

    return [
        'email' => 'sometimes|required|email|unique:users,email,'.$user_id

Please sign in or create an account to participate in this conversation.