Security Tip: Casing Request Values
[Tip#39] Not a new feature, but definitely worth knowing about.
Greetings friends! It looks like last week’s Timebox security tip was a bit of an eye-opener for everyone - new technologies like HTTP/2 bring all sorts of new concerns. This week we’re going back to basics and looking at a feature of Laravel’s Request object that isn’t strictly a “security feature”, but can reduce vulnerabilities and produce more robust code.
I’ve had some availability open for my Laravel Security Audits and Penetration Tests in the next few weeks, so reach out if you’d like me to test the security of your app! I’ve found vulnerabilities in every app I’ve worked on, and it’s not simply enough to just “follow best practices” - vulnerable code can easily slip in and be missed if you’re not looking for it.
Laravel Security In Depth is a bestselling reader-supported publication. Join over 1,900+ Laravel developers, learning about keeping their apps secure each week.
Looking to learn more?
⏩ Security Tip #23: Scoping Bindings
▶️ In Depth #9: Signed URLs
Casing Request Values
Laravel’s Request object(
`Illuminate\Http\Request`) includes a number of methods for extracting user input. My personal favourite is the
`validate()`method, however there are a number of others you can reach for instead, depending on your use case.
Sometimes you’ll need to pull out specific request values and transform them into specific types, such as integers or booleans. Although you can do this manually, there is always the potential to forget or rely on type juggling and for subtle vulnerabilities to be introduced.
So instead, a safer way to do it is to ask the Request object to give you the input value in the type you need it in. It’ll return a properly typed value that you can use safely throughout your app.
The available methods are:
public function string($key, $default = null): \Illuminate\Support\Stringable; public function boolean($key = null, $default = false): bool; public function integer($key, $default = 0): int; public function float($key, $default = 0.0): float; public function date($key, $format = null, $tz = null): \Illuminate\Support\Carbon; public function enum($key, $enumClass): <Enum>;
With the exception of
`string()`, they are all pretty self-explanatory. The
`string()` method actually returns an instance of
You won’t need this all the time, but it’ll save you some effort and reduce potential bugs when you do. 🙂
Which we talked out back in Security Tip #7: Validating User Input.
Check out Security Tip #26: Type Juggling
To learn about Stringable, see : https://laravel.com/docs/10.x/helpers#fluent-strings