如何在 laravel 5.1 中安全地将数据保存在数据库中?
How to save data in database safe in laravel 5.1?
我想要一个评论表,任何人都可以填写,输入的数据将在验证后插入数据库:
<?php
namespace App\Http\Controllers;
use App\comments;
use Illuminate\Http\Request;
use App\Http\Requests;
use App\Http\Controllers\Controller;
class CommentController extends Controller
{
public function postCommentNew( Request $request)
{
$this->validate($request, [
'commenter' => 'required|max:255',
'email' => 'required|max:255',
'comment' => 'required',
'post_id' => 'required'
]);
comments::create( $request->all() );
return redirect()->back()->with('success' , 'Comment Submited') ;
}
}
现在我想确保没有人会破坏我的网站!我要完全安全地保存数据!我不知道是否有必要清理表单输入?如果你的回答是肯定的,我应该怎么做?
我看过这个 here :
public function sanitize()
{
$input = $this->all();
if (preg_match("#https?://#", $input['url']) === 0) {
$input['url'] = 'http://'.$input['url'];
}
$input['name'] = filter_var($input['name'], FILTER_SANITIZE_STRING);
$input['description'] = filter_var($input['description'],
FILTER_SANITIZE_STRING);
$this->replace($input);
}
关于 Laravel 5.1 文档:
By default, Blade {{ }} statements are automatically sent through
PHP's htmlentities function to prevent XSS attacks.
所以答案是您不需要构建额外的东西来清理表单输入。
关于 SQL-注入,Laravel 使用 PDO 准备语句 (Reference) 并防止可能的 SQL-注入。
你问题中的例子是为了保护注入免受URL,这很好。
最后,我之前跟你提到过这个。
仅仅依靠文档和我的回答是不够的。因此,我想再次强调一下上面的link:
You need to do your own penetration test when your project is done to
ensure every thing is working and secured as planned
我想要一个评论表,任何人都可以填写,输入的数据将在验证后插入数据库:
<?php
namespace App\Http\Controllers;
use App\comments;
use Illuminate\Http\Request;
use App\Http\Requests;
use App\Http\Controllers\Controller;
class CommentController extends Controller
{
public function postCommentNew( Request $request)
{
$this->validate($request, [
'commenter' => 'required|max:255',
'email' => 'required|max:255',
'comment' => 'required',
'post_id' => 'required'
]);
comments::create( $request->all() );
return redirect()->back()->with('success' , 'Comment Submited') ;
}
}
现在我想确保没有人会破坏我的网站!我要完全安全地保存数据!我不知道是否有必要清理表单输入?如果你的回答是肯定的,我应该怎么做?
我看过这个 here :
public function sanitize()
{
$input = $this->all();
if (preg_match("#https?://#", $input['url']) === 0) {
$input['url'] = 'http://'.$input['url'];
}
$input['name'] = filter_var($input['name'], FILTER_SANITIZE_STRING);
$input['description'] = filter_var($input['description'],
FILTER_SANITIZE_STRING);
$this->replace($input);
}
关于 Laravel 5.1 文档:
By default, Blade
{{ }}statements are automatically sent through PHP'shtmlentitiesfunction to prevent XSS attacks.
所以答案是您不需要构建额外的东西来清理表单输入。
关于 SQL-注入,Laravel 使用 PDO 准备语句 (Reference) 并防止可能的 SQL-注入。
你问题中的例子是为了保护注入免受URL,这很好。
最后,我之前
仅仅依靠文档和我的回答是不够的。因此,我想再次强调一下上面的link:
You need to do your own penetration test when your project is done to ensure every thing is working and secured as planned