dimanche 30 décembre 2018

Using of raw methods in laravel app seems safe

I know that using of raw methods is not good practice in larabel, but in some cases I need to use them. So in my laravel 5.7 I have next scopes defined, as :

1)

public function scopeGetByCreatedAt($query, $filter_voted_at_from= null, string $sign= null)
{
    if (!empty($filter_voted_at_from)) {
        if (!empty($sign)) {
            $query->whereRaw(with(new VoteItemUsersResult)->getTableName().'.created_at ' . $sign . "'".$filter_voted_at_from."' ");
        } else {
            $query->where(with(new VoteItemUsersResult)->getTableName().'.created_at', $filter_voted_at_from);
        }
    }
    return $query;
}

This method is used in report form, where $sign is given as as string literal ' > ' and filter_voted_at_from is date selection input, like

$detailedVoteItemUsersResults = VoteItemUsersResult
::getByCreatedAt($filter_voted_at_from, ' > ')

I mean none of these fields can have dangeraous value like ‘drop table users;’ .

2) when I need to make selection by several fields

public function scopeGetByName($query, $name = null)
{
    if ( ! isset($name)) {
        return $query;
    }
    return    $query->whereRaw(' ( ' . ContactUs::myStrLower('author_email', false, false) . ' like ' . ContactUs::myStrLower($name, true,
            true) . ' OR ' . ContactUs::myStrLower('author_name', false, false) . ' like ' . ContactUs::myStrLower($name, true, true) . ' ) ');
}

...

public static function myStrLower($value, $with_single_quote, $with_percent) : string
{
    $percent= $with_percent ? '%' : '';
    if ( $with_single_quote ) {
        $ret = "LOWER('" . $percent . $value . $percent . "')";
    } else {
        $ret= "LOWER(" . $percent . $value . $percent . ")";
    }
    return $ret;

}

Using this scope $name field is text input, so if user filles text like ‘Prof;drop table users;’ I have next sql deguging:

   SELECT * 
    FROM `contact_us` 
    WHERE  ( LOWER(author_email) like LOWER('%Prof;drop table users;%')     OR LOWER(author_name) like LOWER('%Prof;drop table users;%') )  
    ORDER BY `created_at` asc 

So I suppose no problems would be triggered?

Anyway I would prefer to avoid using of raw methods. a) Is it possible in examples above to avoid using of raw methods?
b) If no, are they safe ?

Thanks!



via Chebli Mohamed

Aucun commentaire:

Enregistrer un commentaire