问题
In Laravel 4 Illuminate\Database\Query in a Builder class delete function accepts null as an id parameter. And behaivor of this function implies that if I have something like:
DB::table('users')->where('id', $id)->delete();
And if $id will be passed as a null, it will truncate the whole table. Which means that besides standard validation, I have to wrap every delete statement with ! is_null($id) validation. Is it a security breach or it's considered as a standard practice?
回答1:
I think you're misunderstanding what that parameters purpose is. It's simply a shortcut for the example you have shown. If you have a users ID you can delete them without writing that where clause.
DB::table('users')->delete($id);
The above is identical to this:
DB::table('users')->where('id', $id)->delete();
You'd obviously perform a check prior to using any of these methods to ensure that a valid ID has been supplied. I wouldn't say it's a security breach, just something you as a developer needs to be aware of when developing your application. You don't just go willy nilly deleting things without first validating the input.
来源:https://stackoverflow.com/questions/22722959/laravel-delete-query-builder