Do I need to sanitize the user input Laravel
Solution 1
Laravel uses PDO's parameter binding, so SQL injection is not something you should worry about. You should read this though.
Input::get() does not filter anything.
Triple curly braces do the same as e() and HTML::entities(). All of them call htmlentities with UTF-8 support:
htmlentities($your_string, ENT_QUOTES, 'UTF-8', false);
Solution 2
You should use {{{$a}}}
because for example Input can has HTML tag. Laravel won't filter it.
To avoid SQL injection you should use bind your parameters running queries like:
$var = 1;
$results = DB::select('select * from users where id = ?', array($var));
and not:
$results = DB::select('select * from users where id = '.$var);
FooBar
Updated on July 18, 2022Comments
-
FooBar almost 2 years
I am using Laravel 4 with Eloquent. When I get the user input I just use
$name=Input::get('name')
and then I do$a->name=$name;
I don't know if the function
Input::get
protect me from SQL Injection and XSS. If it does not, what do I have to do to sanitize the input?And, when I show the value in my view, shall I use
{{$a}}
or{{{$a}}}
Greetings and thanks.
-
FooBar over 9 yearsSo I should use htmlentities or something like that? What does Input::get filter?
-
Marcin Nabiałek over 9 years@Fylux So far as I know it's interface to getting POST, GET and so on data. It trims data but doesn't filter it, so when displaying you should use triple bracing - this way
htmlentities
function is run on variable value -
FooBar over 9 yearsIf I use {{{ to show it, should I use also htmlentities when saving the information?
-
Marcin Nabiałek over 9 years@Fylux No, using
{{{
Laravel will do it for you -
FooBar over 9 yearsIf I use {{{ to show it, should I use also htmlentities when saving the information?
-
FooBar over 9 yearsBut is there any problem if I have a corrupted input saved in my db?
-
Marcin Nabiałek over 9 years@Fylux what do you mean? Always there might be some problem and running htmlentities or {{{ in theory should solve this problem
-
FooBar over 9 yearsI mean, if would be better to do both things, use htmlentities and {{{
-
FooBar over 9 yearsAnd about you comment, I guess I won't have problem with binding parameters because I use Eloquent.
-
cha-cha over 9 yearsEscape output, not input.
-
cha-cha over 9 yearsThere's no need to alter data unless you actually use it. Filter input, escape output.
-
AdamJones about 4 yearsIt should be pointed out that Laravel provides raw sql query support which isn't protected from injection at all. So there is always the chance that someone may build a site with some raw queries that do need manual cleaning.