CODEWITHSUNDEEP
phplaravel-5
VLS
VLS

Reputation: 445

User details update and secure controller

I have started to learn Laravel 5.* and currently I'm working on some basic admin panel. Create users/delte/edit etc.

I've got this for update user details

public function update( UserRequest $request){

    $user = User::find( $request['id'] );

    $hasuser = User::where('email','=',$request['email'])->where('id','!=',$request['id'])->first();
    if($hasuser){
        $request->session()->flash('alert-error','User with given email address already exist. Plese try with another email address!!.');
        return redirect()->route('admin.users'); 
    }

    $user->name =  $request['name'];
    $user->email =  $request['email'];
    $user->phone =  $request['phone'];
    $user->role =  $request['role'];

    if(!empty($request['password'])){
        $password = bcrypt($request['password']);
        $user->password = $password;    
    }

    if($user->save())
        $request->session()->flash('alert-success','User updated successfully.');
    else
        $request->session()->flash('alert-error','Can not update User now. Please try again!!.');

    return redirect()->route('admin.users');
}

What I'm not sure is the query 

$hasuser = User::where('email','=',$request['email'])->where('id','!=',$request['id'])->first();

Is it good from security and sql injection point of view this variable there i.e. $request['email'], $request['id']

If not can you show me what is a good approach here?

Upvotes: 0

Views: 32

Answers (1)

pablow
pablow

Reputation: 41

Laravel's Eloquent ORM uses PDO binding to avoid SQL injection, but that's not to say it's not good practice to validate user input before you do anything with it.

Upvotes: 1

Related Questions