Do I need to sanitize the user input Laravel

php laravel eloquent xss sql-injection

32,909

Solution 1

Laravel uses PDO's parameter binding, so SQL injection is not something you should worry about. You should read this though.

Input::get() does not filter anything.

Triple curly braces do the same as e() and HTML::entities(). All of them call htmlentities with UTF-8 support:

htmlentities($your_string, ENT_QUOTES, 'UTF-8', false);

Solution 2

You should use {{{$a}}} because for example Input can has HTML tag. Laravel won't filter it.

To avoid SQL injection you should use bind your parameters running queries like:

$var = 1;
$results = DB::select('select * from users where id = ?', array($var));

and not:

$results = DB::select('select * from users where id = '.$var);

32,909

Author by

FooBar

Updated on July 18, 2022

Comments

FooBar almost 2 years

I am using Laravel 4 with Eloquent. When I get the user input I just use $name=Input::get('name') and then I do $a->name=$name;

I don't know if the function Input::get protect me from SQL Injection and XSS. If it does not, what do I have to do to sanitize the input?

And, when I show the value in my view, shall I use {{$a}} or {{{$a}}}

Greetings and thanks.
FooBar over 9 years

So I should use htmlentities or something like that? What does Input::get filter?
Marcin Nabiałek over 9 years

@Fylux So far as I know it's interface to getting POST, GET and so on data. It trims data but doesn't filter it, so when displaying you should use triple bracing - this way htmlentities function is run on variable value
FooBar over 9 years

If I use {{{ to show it, should I use also htmlentities when saving the information?
Marcin Nabiałek over 9 years

@Fylux No, using {{{ Laravel will do it for you
FooBar over 9 years

If I use {{{ to show it, should I use also htmlentities when saving the information?
FooBar over 9 years

But is there any problem if I have a corrupted input saved in my db?
Marcin Nabiałek over 9 years

@Fylux what do you mean? Always there might be some problem and running htmlentities or {{{ in theory should solve this problem
FooBar over 9 years

I mean, if would be better to do both things, use htmlentities and {{{
FooBar over 9 years

And about you comment, I guess I won't have problem with binding parameters because I use Eloquent.
cha-cha over 9 years

Escape output, not input.
cha-cha over 9 years

There's no need to alter data unless you actually use it. Filter input, escape output.
AdamJones about 4 years

It should be pointed out that Laravel provides raw sql query support which isn't protected from injection at all. So there is always the chance that someone may build a site with some raw queries that do need manual cleaning.