14

I am using Laravel 4 with Eloquent. When I get the user input I just use $name=Input::get('name') and then I do $a->name=$name;

I don't know if the function Input::get protect me from SQL Injection and XSS. If it does not, what do I have to do to sanitize the input?

And, when I show the value in my view, shall I use {{$a}} or {{{$a}}}

Greetings and thanks.

Fylux
  • 467
  • 2
  • 6
  • 16
  • 1
    In addition to the other answers, in case you decide to use something like new Something(Input::all()) make sure to specify the $fillable fields in the Something model, in order to protect against mass assignment. Not strictly pertaining to your questions, but something to be aware of. – Yasen Slavov Oct 05 '14 at 13:03

3 Answers3

17

Laravel uses PDO's parameter binding, so SQL injection is not something you should worry about. You should read this though.

Input::get() does not filter anything.

Triple curly braces do the same as e() and HTML::entities(). All of them call htmlentities with UTF-8 support:

htmlentities($your_string, ENT_QUOTES, 'UTF-8', false);
Community
  • 1
  • 1
cha-cha
  • 298
  • 3
  • 12
  • If I use {{{ to show it, should I use also htmlentities when saving the information? – Fylux Oct 05 '14 at 13:08
  • 3
    Escape output, not input. – cha-cha Oct 05 '14 at 13:20
  • 2
    There's no need to alter data unless you actually use it. Filter input, escape output. – cha-cha Oct 05 '14 at 13:30
  • It should be pointed out that Laravel provides raw sql query support which isn't protected from injection at all. So there is always the chance that someone may build a site with some raw queries that do need manual cleaning. – AdamJones Feb 11 '20 at 13:33
5

You should use {{{$a}}} because for example Input can has HTML tag. Laravel won't filter it.

To avoid SQL injection you should use bind your parameters running queries like:

$var = 1;
$results = DB::select('select * from users where id = ?', array($var));

and not:

$results = DB::select('select * from users where id = '.$var);
Marcin Nabiałek
  • 104,635
  • 41
  • 242
  • 277
-1

Yes Always you need to save clean data in database, for that I was used HTML Purifier:

HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C's specifications. Tired of using BBCode due to the current landscape of deficient or insecure HTML filters? Have a WYSIWYG editor but never been able to use it? Looking for high-quality, standards-compliant, open-source components for that application you're building? HTML Purifier is for you!

For Laravel projects you can use this service provider https://github.com/mewebstudio/purifier for including the HTMLPurifier in your project.

AnasSafi
  • 3,608
  • 28
  • 25