Laravel: validating backend submitted data
I am building an application for a smaller group of administrators which will be locked down by password. Take it as a small "intranet" app. As my post data is getting larger (many of input fields, long forms), I am wondering about security.
My app is written with AngularJS, so I have made a full frontend validation.
NOTE: I am not using routes with AngularJS, Laravel is taking care of that. All of the data is posted by Ajax calls, Laravel is inserting data in database. Both frameworks are running on same domain.
So, here I my concerns:
Should I still validate data at the backend?
Here is my thinking.
- Laravel uses CSRF protection, so no data can be submitted from
other "outside" form. - If user (administrator) submits string but not integer as needed
(by defined on database structure), insert will not happen. - Laravel escapes input data, so I presume no SQL injection can be performed? I am using Eloquent ORM through all of my code.
- Is there something more? In general, what could be validated? Just types of inputs?
Extra question: What should I be doing differently if my app wasn't behind password?
php ajax forms validation laravel
edited Nov 13 '18 at 2:40
Cœur
17.4k9103145
asked Jun 29 '15 at 18:03
be-codified
1,573102645
add a comment |
I am building an application for a smaller group of administrators which will be locked down by password. Take it as a small "intranet" app. As my post data is getting larger (many of input fields, long forms), I am wondering about security.
My app is written with AngularJS, so I have made a full frontend validation.
NOTE: I am not using routes with AngularJS, Laravel is taking care of that. All of the data is posted by Ajax calls, Laravel is inserting data in database. Both frameworks are running on same domain.
So, here I my concerns:
Should I still validate data at the backend?
Here is my thinking.
- Laravel uses CSRF protection, so no data can be submitted from
other "outside" form. - If user (administrator) submits string but not integer as needed
(by defined on database structure), insert will not happen. - Laravel escapes input data, so I presume no SQL injection can be performed? I am using Eloquent ORM through all of my code.
- Is there something more? In general, what could be validated? Just types of inputs?
Extra question: What should I be doing differently if my app wasn't behind password?
php ajax forms validation laravel
edited Nov 13 '18 at 2:40
Cœur
17.4k9103145
asked Jun 29 '15 at 18:03
be-codified
1,573102645
add a comment |
I am building an application for a smaller group of administrators which will be locked down by password. Take it as a small "intranet" app. As my post data is getting larger (many of input fields, long forms), I am wondering about security.
My app is written with AngularJS, so I have made a full frontend validation.
NOTE: I am not using routes with AngularJS, Laravel is taking care of that. All of the data is posted by Ajax calls, Laravel is inserting data in database. Both frameworks are running on same domain.
So, here I my concerns:
Should I still validate data at the backend?
Here is my thinking.
- Laravel uses CSRF protection, so no data can be submitted from
other "outside" form. - If user (administrator) submits string but not integer as needed
(by defined on database structure), insert will not happen. - Laravel escapes input data, so I presume no SQL injection can be performed? I am using Eloquent ORM through all of my code.
- Is there something more? In general, what could be validated? Just types of inputs?
Extra question: What should I be doing differently if my app wasn't behind password?
php ajax forms validation laravel
edited Nov 13 '18 at 2:40
Cœur
17.4k9103145
asked Jun 29 '15 at 18:03
be-codified
1,573102645
I am building an application for a smaller group of administrators which will be locked down by password. Take it as a small "intranet" app. As my post data is getting larger (many of input fields, long forms), I am wondering about security.
My app is written with AngularJS, so I have made a full frontend validation.
NOTE: I am not using routes with AngularJS, Laravel is taking care of that. All of the data is posted by Ajax calls, Laravel is inserting data in database. Both frameworks are running on same domain.
So, here I my concerns:
Should I still validate data at the backend?
Here is my thinking.
- Laravel uses CSRF protection, so no data can be submitted from
other "outside" form. - If user (administrator) submits string but not integer as needed
(by defined on database structure), insert will not happen. - Laravel escapes input data, so I presume no SQL injection can be performed? I am using Eloquent ORM through all of my code.
- Is there something more? In general, what could be validated? Just types of inputs?
Extra question: What should I be doing differently if my app wasn't behind password?
php ajax forms validation laravel
php ajax forms validation laravel
edited Nov 13 '18 at 2:40
Cœur
17.4k9103145
asked Jun 29 '15 at 18:03
be-codified
1,573102645
edited Nov 13 '18 at 2:40
Cœur
17.4k9103145
asked Jun 29 '15 at 18:03
be-codified
1,573102645
edited Nov 13 '18 at 2:40
Cœur
17.4k9103145
edited Nov 13 '18 at 2:40
Cœur
17.4k9103145
edited Nov 13 '18 at 2:40
Cœur
17.4k9103145
17.4k9103145
asked Jun 29 '15 at 18:03
be-codified
1,573102645
asked Jun 29 '15 at 18:03
be-codified
1,573102645
asked Jun 29 '15 at 18:03
be-codified
1,573102645
1,573102645
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
In general, yes.
If a mistake is made while working on the front-end, you can end up sending data in a format that your application might not be able to handle.
Also, data from the client cannot always be relied on. Different browsers might behave in different ways and can send you data in unpredictable ways.
You should validate for minimum/maximum length, format (proper email address, file names, etc), etc. depending on the type of value on the backend as well.
answered Jun 29 '15 at 18:31
John M
614
add a comment |
- Include csrf token in request header while send data through ajax.
After receiving request data in controller just include laravel validation like this:
$validationData = $request->validate([
'title' =>'required|unique:posts|max:255,
]);
edited Nov 13 '18 at 5:10
Saeed Zhiany
1,57441624
answered Nov 13 '18 at 4:38
rahulaggarwal11
114
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f31122544%2flaravel-validating-backend-submitted-data%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
In general, yes.
If a mistake is made while working on the front-end, you can end up sending data in a format that your application might not be able to handle.
Also, data from the client cannot always be relied on. Different browsers might behave in different ways and can send you data in unpredictable ways.
You should validate for minimum/maximum length, format (proper email address, file names, etc), etc. depending on the type of value on the backend as well.
answered Jun 29 '15 at 18:31
John M
614
add a comment |
In general, yes.
If a mistake is made while working on the front-end, you can end up sending data in a format that your application might not be able to handle.
Also, data from the client cannot always be relied on. Different browsers might behave in different ways and can send you data in unpredictable ways.
You should validate for minimum/maximum length, format (proper email address, file names, etc), etc. depending on the type of value on the backend as well.
answered Jun 29 '15 at 18:31
John M
614
add a comment |
In general, yes.
If a mistake is made while working on the front-end, you can end up sending data in a format that your application might not be able to handle.
Also, data from the client cannot always be relied on. Different browsers might behave in different ways and can send you data in unpredictable ways.
You should validate for minimum/maximum length, format (proper email address, file names, etc), etc. depending on the type of value on the backend as well.
answered Jun 29 '15 at 18:31
John M
614
In general, yes.
If a mistake is made while working on the front-end, you can end up sending data in a format that your application might not be able to handle.
Also, data from the client cannot always be relied on. Different browsers might behave in different ways and can send you data in unpredictable ways.
You should validate for minimum/maximum length, format (proper email address, file names, etc), etc. depending on the type of value on the backend as well.
answered Jun 29 '15 at 18:31
John M
614
answered Jun 29 '15 at 18:31
John M
614
answered Jun 29 '15 at 18:31
John M
614
answered Jun 29 '15 at 18:31
John M
614
614
add a comment |
add a comment |
- Include csrf token in request header while send data through ajax.
After receiving request data in controller just include laravel validation like this:
$validationData = $request->validate([
'title' =>'required|unique:posts|max:255,
]);
edited Nov 13 '18 at 5:10
Saeed Zhiany
1,57441624
answered Nov 13 '18 at 4:38
rahulaggarwal11
114
add a comment |
- Include csrf token in request header while send data through ajax.
After receiving request data in controller just include laravel validation like this:
$validationData = $request->validate([
'title' =>'required|unique:posts|max:255,
]);
edited Nov 13 '18 at 5:10
Saeed Zhiany
1,57441624
answered Nov 13 '18 at 4:38
rahulaggarwal11
114
add a comment |
- Include csrf token in request header while send data through ajax.
After receiving request data in controller just include laravel validation like this:
$validationData = $request->validate([
'title' =>'required|unique:posts|max:255,
]);
edited Nov 13 '18 at 5:10
Saeed Zhiany
1,57441624
answered Nov 13 '18 at 4:38
rahulaggarwal11
114
- Include csrf token in request header while send data through ajax.
After receiving request data in controller just include laravel validation like this:
$validationData = $request->validate([
'title' =>'required|unique:posts|max:255,
]);
edited Nov 13 '18 at 5:10
Saeed Zhiany
1,57441624
answered Nov 13 '18 at 4:38
rahulaggarwal11
114
edited Nov 13 '18 at 5:10
Saeed Zhiany
1,57441624
edited Nov 13 '18 at 5:10
Saeed Zhiany
1,57441624
edited Nov 13 '18 at 5:10
Saeed Zhiany
1,57441624
1,57441624
answered Nov 13 '18 at 4:38
rahulaggarwal11
114
answered Nov 13 '18 at 4:38
rahulaggarwal11
114
answered Nov 13 '18 at 4:38
rahulaggarwal11
114
114
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f31122544%2flaravel-validating-backend-submitted-data%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
