I have started to learn Laravel 5.* and currently I'm working on some basic admin panel. Create users/delte/edit etc.
I've got this for update user details
public function update( UserRequest $request){
$user = User::find( $request['id'] );
$hasuser = User::where('email','=',$request['email'])->where('id','!=',$request['id'])->first();
if($hasuser){
$request->session()->flash('alert-error','User with given email address already exist. Plese try with another email address!!.');
return redirect()->route('admin.users');
}
$user->name = $request['name'];
$user->email = $request['email'];
$user->phone = $request['phone'];
$user->role = $request['role'];
if(!empty($request['password'])){
$password = bcrypt($request['password']);
$user->password = $password;
}
if($user->save())
$request->session()->flash('alert-success','User updated successfully.');
else
$request->session()->flash('alert-error','Can not update User now. Please try again!!.');
return redirect()->route('admin.users');
}
What I'm not sure is the query
$hasuser = User::where('email','=',$request['email'])->where('id','!=',$request['id'])->first();
Is it good from security and sql injection point of view this variable there i.e. $request['email'], $request['id']
If not can you show me what is a good approach here?
