-2

I am using Laravel 5.4. I have a form where I take some inputs from user. The form variables are directly inserted into database. I want to make sure the sure does not enter anything that could harm the database. I have heard of something SQL Injection but I don't know much about it.

This is my function.

public function insert_data(Request $request)
{
     $company_details_data = ['job_id'          => $maxID, 
                              'company_id'      => $company_id,
                              'job_title'       => ucwords($request>input('job_title')),
                              'vacancy_no'    =>  $request->input('vacancy_no'),
                              'category_id'    =>  $request->input('category_id'),
                              'job_type_id'     => $request->input('job_type_id'),
                              'city_id'         => $request->input('city_id'),
                              'travel_required' => $request->input('travel_required'),
                              'other_locations' => ucwords($request->input('other_locations')),
                              'no_vacancy'      => $request->input('no_vacancy'),
                              'job_salary'      => $request->input('job_salary'),
                              'date_expiry'     => $request->input('date_expiry'),
                              'job_details'     => $request->input('job_details'),
                              'date_posted'     => date('Y-m-d'),
                              'qualification_required' => $request->input('qualification_required'),
                              'experience_required'    => $request->input('experience_required'),
                              'skills_required'        => $request->input('skills_required'),
                              'apply_guidance'         => $request->input('apply_guidance'),
                              'duty_responsibilities'  => $request->input('duty_responsibilities')
                             ];

    General_model::createrecord($company_details_data,'job_details');
}

This is the createrecord() function in my model: 

   public static function createrecord($data,$tbl)   
    {      
      return DB::table($tbl)->insert($data);
    }

I want to use htmlspecialchars here but I am using a rich texteditor in my form. If I use htmlspecialchars it will also change the unharmful tags like ,< p >, < br >,etc. Please Help

Ajmal Razeel
  • 1,663
  • 7
  • 27
  • 51
  • What does the `createrecord()` method do? It looks like you're trying to duplicate a lot of what Eloquent will actually do for you. I suggest you check out the [Eloquent Documentation](https://laravel.com/docs/5.4/queries) – jfadich Aug 01 '17 at 22:13
  • it is the createrecord function : return DB::table($tbl)->insert($data); – Ajmal Razeel Aug 01 '17 at 22:16
  • You should use Eloquent and create a model for each table. Then when you use the `create` method it will use parameterized queries to help protect against SQL injection. – jfadich Aug 01 '17 at 22:17

1 Answers1

1

Without being able to see the methods on your model that take this data and actually push them into the DB its difficult to tell.

Ideally you'd want to sanitize your data prior to handing it to any class. Also you'd want to make sure your models if not already using an existing ORM were using something akin to PDO for your database interactions.

See the answers to the following question as to what sanitizing a request for the DB actually entails.

EDIT: As others have pointed out, it most likely makes more sense here to use an ORM like Eloquent in laravel that handles a lot of this for you.

What's the best method for sanitizing user input with PHP?

Xenology
  • 2,357
  • 2
  • 21
  • 39