Do I need to sanitize the user input Laravel

问题

I am using Laravel 4 with Eloquent. When I get the user input I just use $name=Input::get('name') and then I do $a->name=$name;

I don't know if the function Input::get protect me from SQL Injection and XSS. If it does not, what do I have to do to sanitize the input?

And, when I show the value in my view, shall I use {{$a}} or {{{$a}}}

Greetings and thanks.

回答1:

Laravel uses PDO's parameter binding, so SQL injection is not something you should worry about. You should read this though.

Input::get() does not filter anything.

Triple curly braces do the same as e() and HTML::entities(). All of them call htmlentities with UTF-8 support:

htmlentities($your_string, ENT_QUOTES, 'UTF-8', false);

回答2:

You should use {{{$a}}} because for example Input can has HTML tag. Laravel won't filter it.

To avoid SQL injection you should use bind your parameters running queries like:

$var = 1;
$results = DB::select('select * from users where id = ?', array($var));

and not:

$results = DB::select('select * from users where id = '.$var);

回答3:

You can use

https://github.com/Waavi/Sanitizer

It is vary solid easy to use library.

来源：https://stackoverflow.com/questions/26202682/do-i-need-to-sanitize-the-user-input-laravel