51369b610e
When an include is not surrounded by empty lines, its content is inlined on the same line as the adjacent content. That can lead to broken tags and other display issues. This PR fixes all such includes and introduces a validation step that forbids introducing the same problem again.
75 lines
1.5 KiB
Plaintext
75 lines
1.5 KiB
Plaintext
== How to fix it in Laravel
|
|
|
|
=== Code examples
|
|
|
|
include::../../common/fix/code-rationale.adoc[]
|
|
|
|
==== Noncompliant code example
|
|
|
|
[source,php,diff-id=1,diff-type=noncompliant]
|
|
----
|
|
namespace App\Http\Controllers;
|
|
|
|
use Illuminate\Http\Request;
|
|
use Illuminate\Support\Facades\DB;
|
|
|
|
class UserController extends Controller
|
|
{
|
|
public function authenticate(Request $request)
|
|
{
|
|
$user = $request->input('user');
|
|
$pass = $request->input('pass');
|
|
|
|
$query = "SELECT * FROM users WHERE user = '" . $user . "' AND pass = '" . $pass . "'";
|
|
|
|
$users = DB::select($query); // Noncompliant
|
|
|
|
if (count($users) != 1)
|
|
{
|
|
abort(401);
|
|
}
|
|
|
|
return view('authenticated.index');
|
|
}
|
|
}
|
|
----
|
|
|
|
==== Compliant solution
|
|
|
|
[source,php,diff-id=1,diff-type=compliant]
|
|
----
|
|
namespace App\Http\Controllers;
|
|
|
|
use Illuminate\Http\Request;
|
|
use Illuminate\Support\Facades\DB;
|
|
|
|
class UserController extends Controller
|
|
{
|
|
public function authenticate(Request $request)
|
|
{
|
|
$user = $request->input('user');
|
|
$pass = $request->input('pass');
|
|
|
|
$user_exists = DB::table('users')
|
|
->where('user', $user)
|
|
->where('pass', $pass)
|
|
->exists();
|
|
|
|
if (!$user_exists)
|
|
{
|
|
abort(401);
|
|
}
|
|
|
|
return view('authenticated.index');
|
|
}
|
|
}
|
|
----
|
|
|
|
=== How does this work?
|
|
|
|
:secure_feature: Illuminate
|
|
:unsafe_function: DB::raw()
|
|
|
|
include::../../common/fix/secure-by-design.adoc[]
|
|
|