I have some forms in my page made in Laravel. According to documentation, triple braces - {{{ }}} can escape the output. So when I use:
{{{ Form::text('name') }}}
can I be 100% sure that there is no possibility to insert SQL injection command into this form input?
No you understood the {{{ }}} wrong. They escape the output.
So if you do
{{{ Form::text('name') }}}
The result is this:
<input name="test" type="text">
It still generates HTML code but it gets escaped so it's not interpreted as HTML but as plain text
Preventing SQL injection
You have to prevent SQL injection when saving data to the DB. Normally you do that in your controller. If you use Eloquent or Laravels Query Builder you don't have to worry to much. It will take care of possible SQL injection points. Only if you execute raw SQL you have to pay attention.
From the Laravel Docs:
Note: The Laravel query builder uses PDO parameter binding throughout to protect your application against SQL injection attacks. There is no need to clean strings being passed as bindings.
Related
In below code I get PgArray as an array of PrimaryKeys to template table, from another select query (<collection ... select='selectTemplate'/>). But the solution below seems like a little messy way of doing it. isn't there a way to access the array directly, so I wouldn't need to cast?
Hint: Having #{_parameter} doesn't work.
<select id="selectTemplate" parameterType="org.postgresql.jdbc.PgArray" resultMap="templateResultMap">
SELECT *
FROM template
WHERE template.id = ANY ('${_parameter}'::int[])
</select>
I am working on an issue raised by the security team about a possible XSS attack on a few input fields on our form. Our freemarker page has the following code.
<#assign zipcode = someObject.getInfo().getZipCodeFirstFive()>
I read up on HTML encoding and it talks about adding ?html at the end but I couldn't find the freemarker syntax anywhere. So, could I do something like
<#assign zipcode = (someObject.getInfo().getZipCodeFirstFive())?html>
to make it output encoded?
Yes, that would be a possible syntax for this, though I would recommend two things to make it more readable:
You don't need the extra (), you can just write someObject.getInfo().getZipCodeFirstFive()?html
It's unrelated to escaping, but you don't need to write out getters either, so you end up with someObject.info.zipCodeFirstFive?html
On the longer term, I would recommend escaping by default. Before 2.3.24 that's done by surrounding each template by <#escape x as x?html>...</#escape>. Starting from 2.3.24 the recommended methods is auto-escaping set up globally, in the Configuration.
From the website https://www.google.co.uk/finance?cid=704531 I'm trying to import the fields "Range" and "52 week" and the others in that group in the middle. I've looked at XPath and am very confused by it.
In cell A1 I have https://www.google.co.uk/finance?cid=704531.
In cell B1 I have
=importxml(A1,//*[#id="market-data-div"]/div[2]/div[1]/table[1]/tbody/tr[4]/td[1])
But the result is an error.
What's the correct XPath expression for this HTML structure?
Dom and the <tbody/>
It seems you created that XPath expression within Firebug or similar developer tools. While HTML does not require <tbody/> tags, DOM does; and those developer tools work on the DOM and thus wrap the table rows in such an element. You can easily see the difference when looking at the page source (fetched by wget or other tools if necessary) and the structure presented by Firebug.
Just omit the /tbody axis step in your expression:
//*[#id='market-data-div']/div[2]/div[1]/table[1]/tr[4]/td[1]
Anyway, I'd rather go for fetching the cells by the description, which is a little weaker regarding changes on the wording, but much more robust to changes on the structure:
//*[#id='market-data-div']//tr[td = 'Vol / Avg.']/td[2]
Quoting the Expression
A second problem is you have to quote the XPath expression in double quotes, so for example use:
=importxml(A1,"//*[#id='market-data-div']//tr[td = 'Vol / Avg.']/td[2]")
I'm programming with MyBatis and I have this code
<if test="#mypackage.verylongname.utilities.MyBatisUtilities#isNotEmpty(recipient)">
and DOCUMENTS.recipient = #{recipient}
</if>
I'd like to have a way to avoid to use the full pathname of my class MyBatisUtilities. Is it there?
Adding an Alias to the mybatis-config file doesn't work
<typeAlias alias="MyBatisUtilities" type="mypackage.verylongname.utilities.MyBatisUtilities"/>
Don't think there is a way no, not unless mybatis provides some special extended functionality for OGNL.
That doesn't mean it ~couldn't~ be done within OGNL somehow with changes to the core library, just don't believe it does currently. (my memory may be bad, but pretty certain #fullclassname#methodname is the only way OGNL knows of to resolve static method invocations)
"bind" lets you make a variable out of an OGNL expression. For more info see : http://mybatis.github.io/mybatis-3/dynamic-sql.html
<select id="selectBlogsLike" parameterType="Blog" resultType="Blog">
<bind name="pattern" value="'%' + _parameter.getTitle() + '%'" />
SELECT * FROM BLOG
WHERE title LIKE #{pattern}
</select>
After reading about Mapper XMLs I can't help to wonder how one might go about appling some common transforms to a parameter. For example...
<select id="selectPerson" parameterType="String" resultType="hashmap">
<!-- #{name} should always be upper case and have a trailing % -->
SELECT * FROM PERSON WHERE FIRST_NAME like #{name}
</select>
After reading this and this I can make some observations.
Using SQL functions such as upper or concat or '||' or '+' to do transforms kills performance in DB2
I could always wrap the the mapper or expose the details in the service layer but that seems messy
What I want is to be able to do something like...
<select id="selectPerson" parameterType="String" resultType="hashmap">
<!-- #{name} should always be upper case and have a trailing % -->
SELECT * FROM PERSON WHERE FIRST_NAME like #{name.upperCase() + '%'}
</select>
Is something like this possible or what is the second best solution?
Update: it appears that MyBatis uses OGNL for some expression evaluation. For example, if and ${} expressions use OGNL but #{} does NOT appear to unless there is some way to trick it.
Bind
MyBatis allows for creating values from method and properties in the context using <bind/>.
Bind creates a new variable in the scope of the current statement. The OGNL statement that binds the value can use the passed in _parameter object to compute a new bound value that can then used by MyBatis to construct the prepared statement.
Example
Your example using bind:
<select id="selectPerson" parameterType="String" resultType="hashmap">
<!-- #{name} should always be upper case and have a trailing % -->
<bind name="nameStartsWith" value="_parameter.getName().upperCase() + '%'"/>
SELECT * FROM PERSON WHERE FIRST_NAME like #{nameStartsWith}
</select>
Source
MyBatis Dynamic SQL Documentation
I ran through the same problem too. But I didn't find any solution for this. So I had to preprocess the #{name} parameter from the calling function.