Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
I am using Mailgun to receive incoming messages and route them to my application as POSTs.
Is it necessary to sanitize the message body before inserting into my db? Right now I have the following handle the request:
public function storeNotification(Request $request)
{
$this->validate($request, [
'sender' => 'in:sender@address.com',
'body-plain' => 'regex:/lookingforthis/'
]);
IncomingEmail::create([
'type' => 'whatever',
'content' => $request->input('body-plain')
]);
// parse contents and do stuff...
}
Thanks!
In my opinion the best approach always is to put data as plain as possible into a database and sanitize it when fetching data. Because if the sanitizer changes, you still have the plain data in your database and simply need to update the sanitizer logic inside the accessor.
That is not correct data should be sanitized before storing it because malicious JavaScript code could be embedded in a field. https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet If you do not understand security go to that link and study.
Thank you. wrapping it in the e() helper function before inserting into db should do it then. Parameter binding prevents the possibility of SQL injection, right?
When you use Eloquent you data gets sanitized the way it needs to be save. So this prevents you from SQL injection. But if you display these data you need to proccess it through htmlentities or use blades {{ $variable }} which does this for you.
So as I wrote in my first post: If you are using Eloquent to store your data there is no need to sanitize it before.
Actually if sanitized in, you really don't need to sanitize for display, but doesn't hurt.
Always escape data you put to the screen (or elsewhere) if you cannot be sure where it came from. If you are going to do that anyway, why bother escaping it on input also?
This http://lukeplant.me.uk/blog/posts/why-escape-on-input-is-a-bad-idea/ makes a good case for
Filter on input, escape on output
but there are detractors in the comments that argue the other way.
My point of view is the same as the author (and @bart here) . You may not know the ways in which the data will be used in the future so why trample all over it now?
I don't think that guy can walk and chew gum at the same time the way that article babbled on. Again you don't want malicious JavaScript code stored in the database. It has to be sanitized prior to being stored. Go to the oracle site and search around. http://www.slideshare.net/mobile/myfear/security-in-practice-with-java-ee-6-and-glassfish I trust this, java EE is used by state governments. Scroll over to the 15th slide. But read all slides.
Also see https://www.veracode.com/security/ldap-injection This is what scares me people jump into laravel without knowing the basics including security and program sites dealing with people's personal information. I've been doing this for over 25 years. At least @cheah2go asked an intelligent question. I beg you @cheah2go do not believe this forum for this question, rather for securitysake go to oracle site, PHP site, asp.net and study up on security.
I keep running out of popcorn!
This is a very serious matter we don't need newbies playing around with people's personal information who does not know how to implement proper security.
That is why Java programmers make over $100,000 a year and some of the other people who answered you here are probably hungry programmers. @cheah2go that was a good question.
See I get a little nasty when I have to deal with that kind of answers, people! Security is a very serious concern these days, sorry about the hungry programming thing.
blah blah blah
Ah a reply from a hungry programmer.
I'm right.
Have you at least read security from the main sites?
@jlrdw and I don't always see eye to eye (close though). But 100% agree. You should be sanitizing, ensuring proper type etc before saving any data. Yes security can be taken to far just like anything in life.
For example a blog post or discussion board (like this one) you need to except some html and formatting options, but disallow ones that aren't needed or a security issue. Then you be reasonably sure your output is consistent. You can output a blog post or discussion unexcapted as you wouldn't be able to read it all jumbled up. Simple example but if you allowed even your clients pissed off employee with full access to put undesired code in. Guess who's fault that will be.
And again it doesn't hurt to clean prior to display also.
Nope, it should be both ways. If done correctly passed through the same method both directions.
@jekinney when you present the data, like in an edit form what do you use, htmlentities, or what. A regular HTML form not in laravel using the form helper or blade. I always sanitize in but I haven't been during any sanitizing the other direction. But I think I am going to start. So what is your suggestion here? And thanks. And I was kidding @Snapey . I don't think you're a hungry programmer.
@jlrdw I think the best example is like a date format. Your incoming date needs to be formatted to be saved but also formatted to display properly. Sake of argument timestamp in the data base but you only need the date.
So I create a helper function that takes the input (like a setter).
public function formatDate($date)
{
return $date->toDateString(); //sets 2015-04-04 when saved it will set the time portion to 00:00:00
}
Like I said this can be used both ways so on out put you don't have the time added to the $date variable, also inputs the date properly formatted especially like a birthday fields where you have day month and year as separate inputs.
$date = [$request->year, $request->month, $request->day];
$profile->date = $this->formateDate( $date);
$profile->save()
$profile->formatDate($profile->date);
@jekinney do you also sanitize data prior to display? A long varchar field for example. Like I said I always sanitize in conjunction with storing the data but up to this point I haven't been sanitizing for display. Would you also recommend sanitizing prior to display? And this question is generally speaking, so you're not using laravel but regular PHP and HTML just a hypothetical question.
And a side note very short varchar fields I don't worry about one way or the other because there's not room for malicious code.
Anyway you seem to have good instincts on proper technique.
No, as I use the escape function like you for small text etc. Also if I required a integer input and the database column is integer no need to triple check (so to speak) to display an integer, same goes for a sting you trim white spaces off before saving not need to trim again on out put.
I do when I have to display like a blog post that the post it's self needs to be un-escaped. But like I mentioned I run it through the same function as before it's saved.
Thanks for the tips.
Please or to participate in this conversation.