How Best to Sanitize Inputs ?

You have to sanitize your own input, there's multiple ways to do that, but I really like this approach http://www.easylaravelbook.com/blog/2015/03/31/sanitizing-input-using-laravel-5-form-requests/

Depending on your needs of course

@tomo_pongrac tied triple braces - they just give you an error inside PHPStorm, then in your view it just disables the input., showing the underlying HTML in your code.

There is good aricle for read

http://lukeplant.me.uk/blog/posts/why-escape-on-input-is-a-bad-idea/

and similar thread

https://laracasts.com/discuss/channels/laravel/sanitizing-input

@vincej Do you want the user to be able to enter html tags into your form ?

If not you could just sanitize with vanilla php strip_tags http://php.net/manual/en/function.strip-tags.php

If you do want to show html from a variable, Depending on your Laravel version you would use either {{{ $variable }}} for laravel 4.x (i think) or {!! $variable !!} for 5.x

@vincej Hey !! More importantly !!! Did you install your debugger ???? :) Jim. No framework sanitizes anything by default.

@jimmck Hi Jim - Thanks for the feedback. I need to sanitize to prevent sql inject.

Debugger: it's on my list of things to finish - honest ! I have installed xdebug into storm and am working through a tutorial from Jeffrey on how to properly use it. My version of Storm (9.0.2) seems to be a bit different from his. No matter I'll get there. You used to do a whole bunch of Microsoft .net work, right ? Is .net any better than working with Laravel / Javascript etc ?

@Holm thanks for that. It looks like the solution I need.

@tomo_pongrac Thank you for the links. I started reading the articles, and then I came across this discussion on Laracasts:

https://laracasts.com/discuss/channels/laravel/sanitizing-input?page=1

In particular it references a presentation on security in Java EE, where input sanitisation is firmly recommended.

To be absolutely honest, I will never be an expert on security, however it feels to me that there is a bit of a pissing contest between the parties. So I am going to go with my gut and sanitize on the input and output. There - belt and braces. Cheers !

@vincej Hey, You use Eloquent if memory serves. You are pretty much safe as it does not execute direct SQL statements, it builds them.

http://www.easylaravelbook.com/blog/2015/07/22/how-laravel-5-prevents-sql-injection-cross-site-request-forgery-and-cross-site-scripting

.net will not buy you anything. You are already invested in PHP. I believe you said you came from CakePHP? I was a heavy duty Windows C/C++ coder for years and Years, then Java. But really its all the same. I really love PHP, I can go crazy and type check on my dime or go rogue! I have been having lots of fun with the language. I cannot stress enough to take the time to learn the language ins and outs. You come across as someone who has experience in producing stuff. Install that debugger! Need help, send me a message.

@jimmck Thanks for that. Yes, I have a whole life time in the software industry, but not as a developer rather has a business process / systems analyst for some of the biggest international corps. I spent most of my life on airplanes. Now independent, thank God.

I tried out the solution offered within "laravel made easy" which is fine:

$data = filter_var($input['name'], FILTER_SANITIZE_STRING);

However all it does is strip the offending tags off. It still allows crap to go through to the DB albeit, "cleansed". It occurs to me that the best way if a person is sanitizing say a text area could be simply using regex to id potentially malicious operators and script tags. Then provide a polite message that the user must enter a number or a character. That way it never hits the DB. Ok, I can back it up with a FILTER, sure, but does my approach not make more sense ?

Thanks !! ps: xdebug is installed. yes, I will finish the tut on xdebug tomorrow ! :)

@vincej The articles point is that the nature of PDO and the DB library protect against the common SQL attacks. Cleaning up a name take more eager code. Crap can always creep into the DB especially names, addresses and other text fields. You have to decide how and when to scrub your data. There a lots of places to look.

https://github.com/Respect/Validation

Many times to say onboard a customer, you have basic validation, like know companies, cities, countries. Then the new records get queued and batch jobs and/or external services further proof and validate the customer. In US that means different compliance scans. Meanwhile a 'working' record exists for the workflow downstream.

@jimmck Thanks for that - much appreciated.

btw I tend not to use Eloquent. I find Eloquent fine for simple queries but it falls down with complex joins, plus I find the syntax confusing when it is so close to collections. Can't help being old school. I prefer to use query builder.

i don't think sanitizing input is a great idea.

but to sanitize output you can use {{{

I've made a helper file:

function my_sanitize_number($number) {
    return filter_var($number, FILTER_SANITIZE_NUMBER_INT);
}

function my_sanitize_decimal($decimal) {
    return filter_var($decimal, FILTER_SANITIZE_NUMBER_FLOAT);
}

function my_sanitize_string($string) {
    $string = strip_tags($string);
    $string = addslashes($string);
    return filter_var($string, FILTER_SANITIZE_STRING);
}

function my_sanitize_html($string) {
    $string = strip_tags($string, '<a><strong><em><hr><br><p><u><ul><ol><li><dl><dt><dd><table><thead><tr><th><tbody><td><tfoot>');
    $string = addslashes($string);
    return filter_var($string, FILTER_SANITIZE_STRING);
}

function my_sanitize_url($url) {
    return filter_var($url, FILTER_SANITIZE_URL);
}

function my_sanitize_slug($string) {
    $string = str_slug($string);
    return filter_var($string, FILTER_SANITIZE_URL);
}

function my_sanitize_email($string) {
    return filter_var($string, FILTER_SANITIZE_EMAIL);
}

What do you think?

This probably does not work when preparing them for validation. (i.e.: if a field must be an integer, and someone sends 'a6isAnInteger', and you remove all the non-numbers, validation still fails because it is not an integer). When stepping through the code You'll see the data and the rules inserted at the same time, meaning you will run old values through the validation.

Since 5.3, we have 'prepareForValidation' to override if we want to sanitize/modify our input.

Concerning sanitation: I think sanitation should be on both input and output.

Personally I find it a bit ugly to do this in the 'rules' method.

I will add that in this lesson there is all the theory and the implementation you would need to know about sanitizing user input in Laravel. https://laracasts.com/series/lets-build-a-forum-with-laravel/episodes/101