Answer the question
In order to leave comments, you need to log in
P
P
photosho2016-02-01 21:42:25
photosho, 2016-02-01 21:42:25
Is the data safe?
Hello. Interested in the following question. I send the HTML code to the server via AJAX, which needs to be written to the database. Of course, the string is cleared of unnecessary tags (strip_tags). The data is passed in an array, and the HTML string is one of its parameters. I get the array of parameters on the server as follows:
if ($request->ajax()) {
$params = $request->input('params');Then the data will be sent through the model (Eloquent) to the server through a simple assignment, for example:
$object->fulltext = $params['html'];Cleaning of unnecessary tags is done inside the model. So here's the question I'm interested in. Is this assignment safe, or do you need to escape the string separately and do other things to maintain safety?
1 answer(s)
@Tantacula
D
Dmitry Evgrafovich, 2016-02-04 @Tantacula
Read about pdo, it protects against injections. In eloquent and probably in all modern ormka pdo is used. As for tag truncation, you can not truncate them and not worry about it, when you output strings to the template using {{ }}, then all unsafe characters are escaped.
In general, it might be worth thinking about why all your parameters come in one heap of params, and are not divided into variables - do you use parameter validation at all?
Similar questions
V
@
N
Z
W
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question