Laravel - 使用 {{{ }}} 预防 SQL 注入
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/27527524/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Laravel - SQL injection prevention with {{{ }}}
提问by Tomas Turan
I have some forms in my page made in Laravel. According to documentation, triple braces - {{{ }}} can escape the output. So when I use:
我的页面中有一些用 Laravel 制作的表单。根据文档,三重大括号 - {{{ }}} 可以转义输出。所以当我使用:
{{{ Form::text('name') }}}
can I be 100% sure that there is no possibility to insert SQL injection command into this form input?
我可以 100% 确定不可能将 SQL 注入命令插入到此表单输入中吗?
回答by lukasgeiter
No you understood the {{{}}}wrong. They escape the output.
So if you do
不,你理解{{{}}}错了。他们逃脱了输出。
所以如果你这样做
{{{ Form::text('name') }}}
The result is this:
结果是这样的:
<input name="test" type="text">
It still generates HTML code but it gets escaped so it's not interpreted as HTML but as plain text
它仍然会生成 HTML 代码,但它会被转义,因此它不会被解释为 HTML,而是被解释为纯文本
Preventing SQL injection
防止 SQL 注入
You have to prevent SQL injection when saving data to the DB. Normally you do that in your controller. If you use Eloquentor Laravels Query Builder you don't have to worry to much. It will take care of possible SQL injection points. Only if you execute raw SQL you have to pay attention.
将数据保存到数据库时,您必须防止 SQL 注入。通常你在你的控制器中这样做。如果您使用的口才或Laravels查询生成器,你不必担心得多。它将处理可能的 SQL 注入点。只有在执行原始 SQL 时才需要注意。
From the Laravel Docs:
来自Laravel 文档:
Note:The Laravel query builder uses PDO parameter binding throughout to protect your application against SQL injection attacks. There is no need to clean strings being passed as bindings.
注意:Laravel 查询构建器始终使用 PDO 参数绑定来保护您的应用程序免受 SQL 注入攻击。无需清理作为绑定传递的字符串。
