2018-07-01 19:01
浏览 433

Laravel Eloquent:SQL注入预防是自动完成的吗?

Given the example code (Message is an Eloquent model.):

public function submit(Request $request){
    $this->validate($request, [
        'name' => "required",
        "email" => "required"

    //database connection
    $message = new Message;
    $message->name = $request->input("name");
    $message->email = $request->input("email");


Does Eloquent use parameterized queries (like PDO) or any other mechanisms to prevent SQL injection? Thank you!

图片转代码服务由CSDN问答提供 功能建议


 $ this-> validate($ request,[
“email”=  >“required”
 $ message = new Message; 
 $ message-> name = $ request-> input(“name”); 
 $  message-> email = $ request-> input(“email”); 
 $ message-> save(); 

Eloquent是否使用参数化查询(如PDO)或任何其他机制来阻止SQL注入? 谢谢!

  • 写回答
  • 好问题 提建议
  • 关注问题
  • 收藏
  • 邀请回答

1条回答 默认 最新

  • doupin2013 2018-07-01 19:18

    Yes, but...

    Yes, it does SQL injection prevention when you rely on the built-in ORM functionality, like $someModelInstance->save(). From the docs:

    Laravel's database query builder provides a convenient, fluent interface to creating and running database queries. It can be used to perform most database operations in your application and works on all supported database systems.

    The Laravel query builder uses PDO parameter binding to protect your application against SQL injection attacks. There is no need to clean strings being passed as bindings.

    Please note that you are not automatically protected if you build raw SQL statements and execute those or use raw expressions. More from the docs:

    Raw statements will be injected into the query as strings, so you should be extremely careful to not create SQL injection vulnerabilities.

    You should always use parameterized queries when building raw SQL statements or expressions. See the last link above (and other parts of the docs, as wel) for information on how to do that in Laravel/Eloquent.

    解决 无用
    打赏 举报

相关推荐 更多相似问题