问题
In my controller I have this code:
public function create($brand_id)
{
Brand::findOrFail($brand_id);
}
and this:
public function search()
{
$q = Input::get('q');
$brands = Brand::where('title', 'LIKE', '%'.$q.'%')->take(80)->get();
Is this code safe? By "safe" I mean SQL injection safe. Or should I do some variable clean up here? And what is the best way for cleaning up user input? Thanks a lot for helping me :)
回答1:
yes Eloquent uses parameter binding behind the scene, which safely escapes any input used in where().
回答2:
Document says that Eloquent handles this behind the scene but you can also use like DB::escape($q) to be in safer side
回答3:
Yes but note not all parameters are safe in the where statement:
public function search()
{
$col = Input::get('col');
$brands = Brand::where($col, 'LIKE', '%sql injection in column name%')->take(80)->get();
In this case sql injection is possible!
The first parameter: the column name is not validated or checked and sql injection is possible here, make sure you protect this properly yourself!
来源:https://stackoverflow.com/questions/23978439/how-to-prevent-sql-injection-in-laravel