After reading about SQL injection I wonder how secure it is to create apps in Laravel and how to test if your security meets today's standards?
相关问题
- “Zero out” sensitive String data in Swift
- sqlyog export query result as csv
- NOT DISTINCT query in mySQL
- MySQL: conduct a basic search
- Laravel 5.1 MethodNotAllowedHttpException on store
I've developed a few Laravel applications and found them to be pretty secure in my eyes.
I ran a variety of penetration tests, OWASP ZAP scanner, sqlsus and 5+ tools including bbqsql and similar things for DB pen tests, nmap for port scanning, then switched ZAP to attack mode to perform various XSS and CSRFs and found no vulnerabilities from Laravel itself - just a couple of things from my server itself which I patched up.
It's important to say that no application is 100% secure as it depends a lot on how you do things.
However, Laravel does do a pretty good job out of the box by protecting you from:
SQL injection: if you use Eloquent queries these will keep you safe. But you will be vulnerable if you use
DB::raw()
queries as these can open you up to injection.CSRF: Laravel takes care of this with CSRF tokens that it checks on each
POST
request so make sure you use them, essentially this protects you from someone changing the nature of the request, i.e fromPOST
toGET
.XSS: First sanitise user input. Variables are not escaped using the blade syntax
{!! !!}
, which resolves to<?= e($foo) ?>
inside your HTML code, whereas{{ }}
escapes the data.This is a pretty short overview of Laravel security. Once you start opening yourself up with file uploads etc it can be a little bit more tricky, additionally doing unsafe things in PHP.
This article here, might be an interesting read to go a little more in depth with the above.
In short, I've found Laravel to be secure from all the attacks I've ever run by using Eloquent and sanitising input where required, along with the correct use of blade syntax and the
CSRF
token.