Geek Answers Handbook

Laravel protects the form of hidden fields and URLs

I have an edit done with a click to edit a resource, for example:

{{Form::model( $post ,['action'=> [' PostController@update ', 'id' => $post->id], 'method' => 'post'])}}

What generates a form with an action

 http://example.com/posts/edit/123

And my fields containing text and hidden inputs

When you see this URL, it’s very easy for an unscrupulous user to update other messages.

How to protect a route so that it works if the identifier manipulates the inspector? Is there a built-in wat to tokenize the identifier to make sure it matches? Can this also apply to all hidden inputs?

thanks

EDIT:

An example of using my hidden fields: My messages are usually questions and answers, when a user tries to add an answer to a question, I set question_id as a hidden field and I want to check that it is not controlled.

+5
source share
2 answers

Limonte's answer is correct in order to provide the ability to edit other people's posts - and you should always do this. To answer the second half of the question:

I set question_id as a hidden field, and I want to check that it is not managed.

The problem is that you can never trust the data provided by the client to your system. You should always assume that it has been changed.

One way to minimize risk is to use the Laravel encryption service to do this:

 {{ Form::hidden('question_id', Crypt::encrypt($question_id)) }}

Then in your controller

 $question_id = Crypt::decrypt(Input::get('question_id'));

Just make sure you set the random application encryption key in the app.php configuration file

+8
source

To protect the route, you must check the permission in PostController@update .

At the beginning of the method, check if the user can edit this post:

 public function update($postId) { $post = Post::findOrFail($postId); if ($post->user_id !== Auth::id()) { abort(403, 'Unauthorized action.'); } // validate, update record, etc. }
+2
source

More articles:


All Articles