当前位置: 动力学知识库 > 问答 > 编程问答 >

forms - Laravel - SQL injection prevention with {{{ }}}

问题描述:

I have some forms in my page made in Laravel. According to documentation, triple braces - {{{ }}} can escape the output. So when I use:

{{{ Form::text('name') }}}

can I be 100% sure that there is no possibility to insert SQL injection command into this form input?

网友答案:

No you understood the {{{ }}} wrong. They escape the output.
So if you do

{{{ Form::text('name') }}}

The result is this:

<input name="test" type="text">

It still generates HTML code but it gets escaped so it's not interpreted as HTML but as plain text

Preventing SQL injection

You have to prevent SQL injection when saving data to the DB. Normally you do that in your controller. If you use Eloquent or Laravels Query Builder you don't have to worry to much. It will take care of possible SQL injection points. Only if you execute raw SQL you have to pay attention.

From the Laravel Docs:

Note: The Laravel query builder uses PDO parameter binding throughout to protect your application against SQL injection attacks. There is no need to clean strings being passed as bindings.

分享给朋友:
您可能感兴趣的文章:
随机阅读: