Preventing SQL Injection, Cross-Site Request Forgery, and Cross-Site Scripting in laravel 5
In this article we are going to see about the security features offered by the Laravel 5.
The three main serious security risks in web application are
- SQL injection
- cross-site request forgery
- cross-site scripting.
If you are in need of security, don’t worry Laravel 5 helps you to provide the solution.
SQL Injection laravel
To avoid SQL injection, Laravel’s Eloquent ORM adopts PDO parameter binding.Parameters binding doesn’t allow any malicious users to pass through the query data. Query’s intent will be modified by query data in this case.
Let us consider a scenario that the form field is needed to supply an e-mail address, to search for the user table. But rather supplying e-mail address the client user search for ‘firstname.lastname@example.org’ or 1=1.The output query may look like the following.
Select from the users the email = 'Johnson@example.com' or 1=1
In case if you are unfamiliar with the syntax 1=1, it is a flexible logic expression that produces the true, to the user table each and every record will be returned.
In case the particularly malicious user passed the ‘email@example.com’; drop table users in the field search, the unsecured query would look like this.
Select from the users where the email = 'firstname.lastname@example.org'; drop table users;
In case of scenario if the MySQL account is responsible for the execution of the applications query and it has drop privilege, now the user’s table and all the data which was found inside of it would be deleted or erased.
In the situation, where PDO parameter binding was used, the given input might be quoted, and the query will look like this.
Select from the users where email=' email@example.com or 1=1'
Since the e-mail is not matched, the query will safely return back no results.
Cross-Site Request Forgery
Consider a scenario that a malicious third party creates a special link, which when clicked takes you to another site and registered and authentication was done. Now, this link performs a very sensitive task, like updating your profile added to spam Message. Since you are already authenticated, the following site will assume that the request is coming from you, so that it will update your profile accordingly.
CRSF means cross-site request forgery.It is a token that was used to analyze the third party can’t perform the following request. Generating tokens would help to pass along with the form contents. Then the token is compared with value, in addition, it is saved to the user session.If the matching is valid if it matches, and the matching is invalid if it is unmatched.
It was recommended to use the only Laravel.Using HTML only was not advisable.If you use Laravel the CSRF token will be added automatically.
Laravel syntax would automatically, gets out any of the HTML entities that is passed through the view variable. The malicious client or user can pass the following string in the comment or the user profile.
My list <script>alert(“spam spam spam!”) </script>
Obviously, there are a lot of different things you ought to do to additionally secure your Laravel application.However, Laravel truly ensures a considerably more secure application by wiping out these three extremely regular assault vectors.