Level 73
Depends on where the request comes from.
It's better to use parameter binding
$users = DB::select('select * from users where active = ?', [1]);
2 likes
May 11, 2020
7
Level 12
Security DB::raw() in laravel
Is it safe to use this kind of code?
Level 12
@tray2 It is an API, so basically the request comes from the current latitude and longitude of the user.
Level 15
Are you validating the input data? I think that any data coming from an outside source should always be validated first.
Level 75
Or you could cast to double or float, not sure which is better there. https://dev.mysql.com/doc/refman/8.0/en/cast-functions.html#function_cast
Level 12
@drewdan Yes. I have a validation section for this.
$rules = [
'latitude' => 'required',
'longitude' => 'required'
];
$validator = Validator::make(request()->all(), $rules);
if($validator->fails()){
return response()->json($validator->messages());
}
1 like
Level 12
@jlrdw any explanation for this? :)
Level 75
Numeric is more secure from sql injection. But it's good to bind all parameters. Just me personally I don't usually worry about things like int field and date fields.
But you could experiment a little try some SQL injection yourself, safe ones of course and see what works and what doesn't work.
But remember that data is string data coming in or in a post. PHP and MySQL automatically handle it when being saved whereas in some languages like C sharp you have to specifically cast those variables.
Please or to participate in this conversation.