Laravel forms Request santized?

Question

I'm using the latest Laravel version and handle POST data using the Request and an array $data to store the data.

public function someFunctionInSomeControllerSomewhere(Request $request) {
     $data = $request->all(); 
     // ... 
}

Be this good or not (let me know), I wonder if Laravel (since it's incredibly large and feature-rich) already sanitized the input data coming from Request (at least strings) or not. And if not so, I'm looking for a way to automatically sanitize input of type Request so that in all Controllers and functions, I can straight forwardly use the input data.

Oluwatobi Samuel Omisakin · Answer 1 · 2017-09-16T17:49:51.780

2

Laravel uses PDO in the background so you are safe to not worry about data coming in especially the fear of injection. But of course beyond ensuring safe data is passed into your database, if what you meant by sanitize expands beyond preventing injection, then its your duty to use validation techniques that suits you.

A caption at https://laravel.com/docs/5.5/queries to tell you. Just check the documentation site for better understanding.

edited Sep 16 '17 at 17:49

answered Sep 16 '17 at 17:44

Oluwatobi Samuel Omisakin

6,944
3
33
48

All right, thank you. Is there, however, anything I can do about XSS attacks as concerns my data? – John Sep 18 '17 at 13:25
I don't think you should be worried about XSS attacks when saving data with Laravel into the database, the only time you should be more concerned is when using those user-given data to perform operations, then you need to sanitize it otherwise if you use Laravel blade to send the data to user in any form, then you shouldnt have a problem so long you output it with {{ $data }} You may check this as reference: https://stackoverflow.com/a/27701087/5704410 – Oluwatobi Samuel Omisakin Sep 18 '17 at 13:36

score 0 · Answer 2 · answered Sep 16 '17 at 14:37

0

The Request component does not automatically sanitize your datas, because that's not his goal. If you want to sanitize your request from :

SQL injection : use prepare() statements
Javascript injection : see this topic

answered Sep 16 '17 at 14:37

Pierre Capo

1,033
9
23

Thank you for your reply. However, this does not thoroughly answer the question. OK, `Request`s are *not* sanitized. But, how and where can I change this, is there an approach? Maybe a doc to take a look at? `prepare()` doesn't help at this point since I'm using Laravel which has database management built-in, and the second only tells me the differences between certain php methods used to sanitize. I now know (which I before did, too) that I can sanitize my to-be-inserted-into-the-database-string using `addslashes`. – John Sep 16 '17 at 15:04
Please, elaborate on this. – John Sep 16 '17 at 15:04

Laravel forms Request santized?

2 Answers2