Danyal Sandeelo Danyal Sandeelo - 4 months ago 21
SQL Question

How to restrict HTML/Javascript insertion in database table Laravel 5.2

I could successfully save html/javascript into the database table and it renders it. This is for the first time I have moved to Laravel, YII frameworks automatically caters it but how can I do the same thing in Laravel?

I don't want to use specific checks all over my application, there must be some centralized approach to do so.

enter image description here

Output:

enter image description here

htmlentities($inputs['first_name']);
that does the job but how to do this in the whole app. I don't want to have these checks everywhere.

That's how I render form:

{!! Form::model($companyUser, ['route' => ['updateUserProfile', $companyUser->id], 'method' => 'put', 'class' => 'frm-container']) !!}
<div class="col-lg-5">
{!! Form::controlRequired('text', 0, 'first_name', $errors, 'First Name') !!}
</div>
<div class="col-lg-5">
{!! Form::control('text', 0, 'last_name', $errors, 'Last Name') !!}
</div>
<br clear="all"/>
<div class="col-lg-5">
{!! Form::control('password', 0, 'password', $errors, 'New Password') !!}
</div>
<div class="col-lg-5">
{!! Form::control('password', 0, 'password_confirmation', $errors, 'Confirm Password') !!}
</div>
<br clear="all"/>
<div class="col-lg-12 btn-frm-inner">
<button type="submit" class="btn btn-submit">Update</button>
<a href="<?= URL::to('/');?>" class="btn btn-cancel">Cancel</a>
</div>

{!! Form::close() !!}

Answer

The code you posted is from the form.

You're not supposed to filter what's going in the database in my opinion. You should simply let anything come and then display it the way you want. So this is fine.

Now as for displaying the data :

{{ }} will escape automatically, while {!! !!} will NOT escape anything.

So when you display the data in your view, you should use the first option.