User::create() 在 Laravel 中安全吗?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/20878821/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Is User::create() safe in Laravel?
提问by TonyArra
I'm trying to make my Laravel UserControlleras lean as possible without using any additional packages, like Ardent (I find it unnecessary; overkill.)
我试图让我的 LaravelUserController尽可能精简,而不使用任何额外的包,比如 Ardent(我觉得没有必要;矫枉过正。)
This is my postRegister()function, the function that is routed to when the user clicks "submit" on the registration form.
这是我的postRegister()函数,当用户点击注册表单上的“提交”时路由到的函数。
public function postRegister() {
$validator = new Services\Validators\RUser;
if ($validator->passes()) {
User::create(Input::all());
return Redirect::to('login');
}
return Redirect::to('register')->withInput()->withErrors($validator->getErrors());
}
I sent all the input off to be validated in another class, then I just call the class statically with User::create(). I'm wondering if this is safe or not. I'm having everything but the idand password_confirmationmass-assigned, and the password is hashed in a mutator function.
我将所有输入发送出去以在另一个类中进行验证,然后我只是使用User::create(). 我想知道这是否安全。我拥有除id和password_confirmation批量分配之外的所有内容,并且密码在 mutator 函数中散列。
If this isn't a safe way to handle user creation, how else should I do it? Should I instead create an instance of the object and manually assign values? Thanks in advance.
如果这不是处理用户创建的安全方法,我还应该怎么做?我应该创建对象的实例并手动分配值吗?提前致谢。
回答by TonyArra
Basically, the Model::Create function does these steps:
基本上,Model::Create 函数执行以下步骤:
- Instantiate a new model instance
- Using the input array, fill in all unguarded/fillable model attributes using set-mutators if available
- Save model to DB
- Return model
- 实例化一个新的模型实例
- 使用输入数组,如果可用,使用 set-mutators 填充所有未保护/可填充的模型属性
- 将模型保存到数据库
- 退货型号
So as long as you add the fields that you don't want to be mass-assigned to your $guarded array (or excluded them from your $fillable array) there shouldn't be any security risks. The functionality is about the same as building the model gradually and then saving it.
因此,只要您添加不想批量分配给 $guarded 数组的字段(或将它们从 $fillable 数组中排除),就不会有任何安全风险。其功能与逐步构建模型然后保存模型大致相同。
As a recommendation: The input validation should happen within the model during either the "saving" or "creating" event. If you return false during one of those events, you'll halt the model creation.
作为建议:输入验证应该在“保存”或“创建”事件期间在模型内进行。如果在这些事件之一期间返回 false,您将停止模型创建。
回答by David Barker
As long as you populate the models $fillablearray with only the values you want mass-assignable this is safe. Validating all the $fillablevalues then adds the safe-guard you're asking about.
只要您$fillable仅使用您想要可批量分配的值填充模型数组,这就是安全的。验证所有$fillable值然后添加您正在询问的安全保护。
This ensures that only the values in $fillableare ever populated on the model with any other Input disregarded.
这可确保仅在$fillable模型上填充 中的值,而忽略任何其他输入。
