Seeker1337
4 months ago
704
4
Laravel

Laravel 6 Improving my forms' security

Posted 4 months ago by Seeker1337

Hey there. Basically my website will be going live in the next few days and I wanted to make sure the forms are properly secured against SQL injection and XSS. I have 3 forms - Contact form/ Buying vehicles form and a Search form. I'm passing the CSRF token in all of them and validating in the controllers.

I'm more concerned about the search form, though. Also when I type something in the search bar, the current CSRF token gets showed in the url because of the GET method.

localhost/mywebsite/public/vehicles?_token=fQDtPw0WbbYOxSIfhSoLdld5DZePKGR9vkjaClFG&vehsearch=bmw&submit=

ContactsController.php


use App\ContactsModel ;

public function store(Request $request)
    {
          $contactsmodel = $request->validate([
            
            'contactsusername' => 'required|max:40' ,
            'contactsemail' => 'required|email|max:50' ,
            'contactsinfo' => 'required|max:700' ,
            
        ]) ;
        
        $contactsmodel = new ContactsModel ;
        
        $contactsmodel->contactsusername = $request->contactsusername ;
        $contactsmodel->contactsemail = $request->contactsemail ;
        $contactsmodel->contactsinfo = $request->contactsinfo ;
        
        $contactsmodel->save() ;
        
        return redirect('contacts')->with('success', 'etc...') ;
    }


contacts.blade.php


<form action="{{ route('contacts.store') }}" method="POST" class="gv-po-form"> <br>
@CSRF
    
  <div class="form-group">
    <label for="gv-text">Name:</label>
    <input type="text" class="form-control" name="contactsusername"  required>
  </div>
    
 <div class="form-group">
    <label for="gv-text2"> E-mail: </label>
    <input type="email" class="form-control" name="contactsemail" required>
  </div>    
    
  <div class="form-group">
    <label for="gv-text3"> Information: </label>
    <textarea rows="6" cols="64" name="contactsinfo" required></textarea>
  </div>
  
  <button type="submit" class="btn btn-primary"> SEND </button> <br><br>
    
</form> 

VehiclesController.php

use App\VehiclesModel ;

public function store(Request $request)
    {
         $vehiclesmodel = $request->validate([
            
            'vehusername' => 'required|max:40' ,
            'vehphonenumber' => 'required|max:40' ,
            'vehemail' => 'required|email|max:40' ,
            'vehinfo' => 'required|max:700' ,
            'vehimages' => 'required' , 
            'vehimages.*' =>'image|mimes:jpeg,jpg,png',
          
        ]) ;
        
        
        $destinationPath = 'storage/veh-images' ;
        $vehimages = array() ;
        
        if($files=$request->file('vehimages')) {
            
        foreach($files as $file) {
            
            $filename = $file->getClientOriginalName() ;
            $file->move($destinationPath, $filename) ;
            $vehimages[] = $filename;
          }
        }
        //implode images with pipe symbol
        $vehallimages = implode("|",$vehimages) ;
        
        $vehiclesmodel = new VehiclesModel ;
        
        $vehiclesmodel->vehusername = $request->vehusername ;
        $vehiclesmodel->vehphonenumber = $request->vehphonenumber ;
        $vehiclesmodel->vehemail = $request->vehemail ;
        $vehiclesmodel->vehinfo = $request->vehinfo ;
        $vehiclesmodel->vehimages = $vehallimages ;
        
        $vehiclesmodel->save() ;
        
        return redirect('vehicles')->with('success', 'etc..') ;
        
    }


vehicles.blade.php


<form action="{{ route('vehicles.store') }}" method="POST" enctype="multipart/form-data" class="gv-po-form"> <br>
@CSRF    
    
  <div class="form-group">
    <label for="gv-text">Name:</label>
    <input type="text" class="form-control" name="vehusername" required>
  </div>
    
  <div class="form-group">
    <label for="gv-text2">Phone number:</label>
    <input type="number" class="form-control" name="vehphonenumber" required>
  </div>  
    
  <div class="form-group">
    <label for="gv-text3">E-mail:</label>
    <input type="email" class="form-control" name="vehemail" required>
  </div>     
    
  <div class="form-group">
    <label for="gv-text4"> Information: </label>
    <textarea rows="6" cols="64" name="vehinfo" required></textarea>
  </div>
    
  <div class="form-group">
    <label for="gv-text5"> Pictures of the vehicle: </label> <br>
    <input type="file" name="vehimages[]" multiple required>
  </div>    
  
  <button type="submit" name="submit" class="btn btn-primary"> SEND </button> <br><br>
    
</form>

VehSearchModel.php


    public function scopeSearch($vehsearchquery, $vehsearch)
    {
        $vehsearch = preg_replace('/\s+/', '%', $vehsearch) ;
        $vehsearch = "%{$vehsearch}%" ;

        $vehsearchquery->where(function ($vehsearchquery) use ($vehsearch) {
            $vehsearchquery->orWhere('vehmodel', 'like', $vehsearch);
            $vehsearchquery->orWhere('vehmark', 'like', $vehsearch);
            $vehsearchquery->orWhereRaw("CONCAT(vehmodel, ' ', vehmark) LIKE ?", [$vehsearch]);
    }) ;

    return $vehsearchquery ;
}

VehSearchController.php


  public function index(Request $request)
    {   
        $vehsearch = $request->input('vehsearch') ;
        
        $vehiclesmodel = VehiclesModel::latest()->search($vehsearch)->paginate(30) ;
        
        return view('vehicles', compact('vehiclesmodel', 'vehsearch')) ;
    }

vehicles.blade.php


 <form action="{{ route('vehicles.index') }}" method="GET" class="form-inline my-2 my-lg-0">
     <input type="hidden" name="_token" id="csrf-token" value="{{ Session::token() }}" />    
     <input type="text" name="vehsearch" value="{{ isset($vehsearch) ? $vehsearch: '' }}"  class="form-control mr-sm-2" placeholder="search..." aria-label="Search">
     <button class="btn btn-outline-success my-2 my-sm-0" type="submit" name="submit"> Search </button>
 </form> 

Please sign in or create an account to participate in this conversation.