I know that using of raw methods is not good practice in larabel, but in some cases I need to use them. So in my laravel 5.7 I have next scopes defined, as :
1)
public function scopeGetByCreatedAt($query, $filter_voted_at_from= null, string $sign= null)
{
if (!empty($filter_voted_at_from)) {
if (!empty($sign)) {
$query->whereRaw(with(new VoteItemUsersResult)->getTableName().'.created_at ' . $sign . "'".$filter_voted_at_from."' ");
} else {
$query->where(with(new VoteItemUsersResult)->getTableName().'.created_at', $filter_voted_at_from);
}
}
return $query;
}
This method is used in report form, where $sign is given as as string literal ' > ' and filter_voted_at_from is date selection input, like
$detailedVoteItemUsersResults = VoteItemUsersResult
::getByCreatedAt($filter_voted_at_from, ' > ')
I mean none of these fields can have dangeraous value like ‘drop table users;’ .
2) when I need to make selection by several fields
public function scopeGetByName($query, $name = null)
{
if ( ! isset($name)) {
return $query;
}
return $query->whereRaw(' ( ' . ContactUs::myStrLower('author_email', false, false) . ' like ' . ContactUs::myStrLower($name, true,
true) . ' OR ' . ContactUs::myStrLower('author_name', false, false) . ' like ' . ContactUs::myStrLower($name, true, true) . ' ) ');
}
...
public static function myStrLower($value, $with_single_quote, $with_percent) : string
{
$percent= $with_percent ? '%' : '';
if ( $with_single_quote ) {
$ret = "LOWER('" . $percent . $value . $percent . "')";
} else {
$ret= "LOWER(" . $percent . $value . $percent . ")";
}
return $ret;
}
Using this scope $name field is text input, so if user filles text like ‘Prof;drop table users;’ I have next sql deguging:
SELECT *
FROM `contact_us`
WHERE ( LOWER(author_email) like LOWER('%Prof;drop table users;%') OR LOWER(author_name) like LOWER('%Prof;drop table users;%') )
ORDER BY `created_at` asc
So I suppose no problems would be triggered?
Anyway I would prefer to avoid using of raw methods. a) Is it possible in examples above to avoid using of raw methods?
b) If no, are they safe ?
Thanks!
from Newest questions tagged laravel-5 - Stack Overflow http://bit.ly/2CHwBoU
via IFTTT
Aucun commentaire:
Enregistrer un commentaire