我已经开始学习Laravel 5.*,目前我正在研究一些基本的管理面板。创建用户/删除/编辑等。
我有这个来更新用户详细信息
public function update( UserRequest $request){
$user = User::find( $request['id'] );
$hasuser = User::where('email','=',$request['email'])->where('id','!=',$request['id'])->first();
if($hasuser){
$request->session()->flash('alert-error','User with given email address already exist. Plese try with another email address!!.');
return redirect()->route('admin.users');
}
$user->name = $request['name'];
$user->email = $request['email'];
$user->phone = $request['phone'];
$user->role = $request['role'];
if(!empty($request['password'])){
$password = bcrypt($request['password']);
$user->password = $password;
}
if($user->save())
$request->session()->flash('alert-success','User updated successfully.');
else
$request->session()->flash('alert-error','Can not update User now. Please try again!!.');
return redirect()->route('admin.users');
}
我不确定的是查询
$hasuser = User::where('email','=',$request['email'])->where('id','!=',$request['id'])->first();
从安全性和sql注入的角度来看,这个变量在那里好吗,即 $request['email'] , $request['id']
如果没有,你能告诉我什么是好方法吗?
Laravel的Eloquent ORM使用PDO绑定来避免SQL注入,但这并不是说在对用户输入做任何事情之前验证它不是好习惯。