Support the ongoing development of Laravel.io →
Security Database Eloquent
Last updated 9 months ago.
0

As mentioned here http://laravel.com/docs/queries:

Note: The Laravel query builder uses PDO parameter binding throughout to protect your application against SQL injection attacks. There is no need to clean strings being passed as bindings.

If you are concerned with HTML being inserted into database you can simply escape it when outputing in your views using {{{}}} syntax in blade e,g:

{{{$title}}}
Last updated 9 months ago.
0

@usm4n the op is talking about sql injections, you are talking about XSS.

Last updated 9 months ago.
0

thanks usm4n!

do you have any suggestions how to store html in db, and show it as html in the pages.

but still to check for malicious xss scripts from the user?

Last updated 9 months ago.
0

@antoniofrignani the first part of the answer got the answer I needed :)

Last updated 9 months ago.
0

tzookb said:

@antoniofrignani the first part of the answer got the answer I needed :)

Yes, is the second part that is about escaping strings to prevent XSS.

Last updated 9 months ago.
0

antoniofrignani said:

@usm4n the op is talking about sql injections, you are talking about XSS.

Yes i know what he was talking about, the quote from the documentation was the answer. Not the other part, I just thought may be he was concerned!

Last updated 9 months ago.
0

someone has an answer how can I store user html from wysiwyg editor, I want to make sure he hadn't sent any scripts there.

Last updated 9 months ago.
0

Sign in to participate in this thread!

Full Stack Europe

Your banner here too?

tzookb tzookb Joined 9 Feb 2014

Moderators

We'd like to thank these amazing companies for supporting us

Your logo here?

Laravel.io

The Laravel portal for problem solving, knowledge sharing and community building.

© 2023 Laravel.io - All rights reserved.