I have a searchbox users can use to search fields using the following query. (I've not copied in the entire search, just the relevant part)
$searchBuild->where(function($query) use ($searchBox) {
$query->orWhere('event', 'LIKE', '%'.$searchBox.'%');
$query->orWhere('sub_event', 'LIKE', '%'.$searchBox.'%');
});
Where $searchBox is getting the input field when the request is made.
This works perfectly fine whenever searching for most things.
But if my input field contains a double quote (") or a backslash () it fails.
Isn't laravel using PDO and both of those should be escaped automatically?
I can't get any search with quotes or backslashes to work. Single quotes, forward slashes seem to work fine.
What am I not understanding?
But if I do
$searchBox = addslashes($searchBox);
Then it works. Do I need to be doing that on all user input? I thought the whole idea of PDO was so that I didn't have to sanitize user input for slashes.
edit:
actually addslashes may only be working for backslashes. I think double quotes still fail in my search.
edit2:
okay, I think I figued out the double quotes thing. That was a totally separate problem (I had 'smart quotes' from copying something into my table from excel and I got smart left and right quotes that was screwing stuff up).
But I still have to have 'addslashes' for anything with a quote or backslash to search. So my original question remains.
Do I need to do 'addslashes'?
Sign in to participate in this thread!
The Laravel portal for problem solving, knowledge sharing and community building.
The community