0

I am making Ajax requests to laravel - but for some reason my custom function is not escaping special characters. I can't figure out why. I have used this exact same function in CodeIgniter and it escapes output just fine. All of the data is getting returned fine to the JS file - but it's not escaping anything. Here is the code:

public function store( Request $request, $project_id ) {
    //current logged in user. 
    $user_id = auth()->user()->id;


    //get all post inputs

    $inputs = $request->all();


    //make sure project ID belongs to current user.  Stop someone from adding a task to your project that isn't you. 
    $projectBelongsToUser = Project::find(1)->where('user_id', $user_id)->where('id', $project_id)->get();



    //if a project ID and inputs are provided - log them to the database, if not redirect to home with $errors. 
    if( $project_id && $inputs['description'] && $projectBelongsToUser ) {

        $task = New Task;

        $task->description = $inputs['description'];
        $task->due_date    = $inputs['due_date'];
        $task->priority    = $inputs['priority'];
        $task->completed   = 0;
        $task->order       = 0;
        $task->user_id     = $user_id;
        $task->project_id  = $project_id;
        $task->save();

        //get all tasks
        $tasks = Task::where('user_id', $user_id)->where('project_id', $project_id)->orderBy('description', 'asc')->get();

        //sanitize tasks for safe output
        function sanitize_object_h( $array ) {
            $array_modified = $array;

            foreach( $array_modified as $object ) {
                foreach( $object as &$item ) {
                    $item = htmlentities( $item, ENT_QUOTES );
                }
                //end foreach
            }
            //end foreach
            return $array_modified;

        }
        //end sanitize_object_h

        $sanitized_tasks = sanitize_object_h( $tasks );

        //return the sanitized object. 
        echo json_encode( sanitize_object_h( $tasks ) );

    } else {

        echo "failed";
        return;

    }//end if



}//end store
john23
  • 259
  • 2
  • 14
  • Don't know about your issue, but you have several weird things, like the first Project::find(1)... you select by `id=1`, but use where `user_id=$user_id`, but also `id=$project_id`. This makes no sense, id can only be one (in a typical structure), so only `Project::find($project_id);`. If you want to stop people from using anothers try roles and permissions – Bojan Kogoj Jan 05 '16 at 23:00
  • @BojanKogoj Would you do that via middelware (roles/permissions)? One is user_id and the other is project_id. In the projects table there is a relationship to the users table. – john23 Jan 05 '16 at 23:29
  • Yes, I use Entrust for this. Sure, a bit of work to get it all work as I wanted but it's worth it if you ask me. Keeping code clean and shorter. – Bojan Kogoj Jan 06 '16 at 08:27
  • Also there is no need for json_encode. It will automatically do it for you, or use return Response::json($item). Always return the value, don't echo it. – Bojan Kogoj Jan 06 '16 at 08:28

1 Answers1

0

First off, I have not fixed escaping. Htmlentities should work, but in my opinion (and some others) you don't need to. Json_encode my itself escapes all characters it needs to make a valid JSON. However I have tried to improve readability of your code.

Laravel can do a lot of things you want to do.

public function store( Request $request, $project_id ) {

    if(!$project_id)
        abort(404, "Bad id");

    // make sure all inputs exist
    $this->validate($request, [
        'description' => 'required',
        'due_date' => 'required',
        'priority' => 'required'
    ]);

    //get all post inputs
    $inputs = $request->all();

    //make sure project ID belongs to current user.  Stop someone from adding a task to your project that isn't you. 
    $project = Project::findOrFail($project_id);
    if($project->user_id != Auth::user()->id)
        abort(403, 'Not your thing');

    $task = New Task;

    $task->description = $inputs['description'];
    $task->due_date    = $inputs['due_date'];
    $task->priority    = $inputs['priority'];
    $task->completed   = 0;
    $task->order       = 0;
    $task->user_id     = $user_id;
    $task->project_id  = $project_id;
    $task->save();

    //get all tasks
    $tasks = Task::where('user_id', $user_id)->where('project_id', $project_id)->orderBy('description', 'asc')->get();

    return Response::json($tasks);
}//end store

Take a look at Validation

Pay attention to abort. I think it's rather obvious what it does, but you can also use return "error"; if you like, since this looks like an API. FindOrFail. If record doesn't exist it will throw 404 (unless you catch it).

Community
  • 1
  • 1
Bojan Kogoj
  • 5,321
  • 3
  • 35
  • 57
  • Thanks Bojan - really appreciate you going through this and offering suggestions. I will implement these and it will speed up my coding time as well. – john23 Jan 06 '16 at 17:06
  • is there a way to get debugging to show in the console for Ajax requests. Right now I am getting 500 internal server errors and can't debug very easily. – john23 Jan 07 '16 at 00:53
  • For some reason adding return Reponse::json($tasks); returns a 500 error for me....hence the debugging question. – john23 Jan 07 '16 at 01:09
  • Did you add all you need? Such as `use Response;`. Otherwise check logs – Bojan Kogoj Jan 07 '16 at 10:30